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IT Pro Perspectives 




Is Windows 8 
the New Vista? 

Businesses pondering a move to 
Windows 8 have challenges to consider 


O K, I’ll admit it. For the past decade, maybe two. I’ve been a 
Windows fanboy. I’ve always looked forward to each new 
release of Windows, and I’ll even go so far as to say that I was 
an early adopter of the much-maligned Windows Vista. With that 
said, this is the column I didn’t want to write. After my initial experi¬ 
ences running Windows 8 on a desktop and a laptop, I can’t really 
say I would encourage a typical existing Windows 7 desktop user to 
move to Windows 8. 

I didn’t always feel this way. I got my first taste of Windows 8 at 
Build 2011 where I got a chance to run the early Windows 8 devel¬ 
oper release on some Samsung tablets. My experiences on the tablet 
devices were good. I was excited about the possibilities of running 
Windows on a tablet—I still am. I plan to get one of the Microsoft 
Surface Pro devices as soon as they’re released. 

However, my enthusiasm for the desktop implementation waned 
as I later installed the Windows 8 RC/RTM releases on a couple of 
standard mouse and keyboard-based systems in my office. The Start 
menu, which was present in the early developer release, was gone, 
forcing me to contend with the new (formerly named Metro) Start 
screen. I found the new interface unintuitive and awkward. I was able 
to use it after a brief learning period, but I was never really excited 
about it because I seemed to lose more than I gained. If I wasn’t stub¬ 
bornly inclined to make it work, I would have probably gone ahead 
and installed the SourceForge Classic Shell to get my Start menu back. 
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Being pretty geeky, I know that my experiences don’t always mirror 
typical users. To find out if it was just me (and it often is), I decided 
to “scientifically” test Windows 8 on a couple of friends who are rea¬ 
sonably proficient computer users but not really what you would call 
computer experts. 


Video 

Michael Otey 
questions whether 
Windows 8 will go the 
way of Windows Vista 




I sat them both down in front of a Windows 8 laptop with the 
standard mouse and keyboard interface. Their similar reactions make 
me wonder if Microsoft actually does any usability studies with real 
people anymore—but I digress. At first they were excited by the new 
Start screen but quickly became frustrated trying to run multiple apps, 
trying to exit apps, and knowing when and how to switch back and 
forth to the desktop. Going through the keyboard shortcuts helped. 
But, for them, using keyboard shortcuts was a new and not altogether 
pleasant experience. Admittedly this not-so-scientific study was brief, 
and I’m sure my friends would have learned to adapt. But I am also 
sure this isn’t the experience Microsoft was going for with this obvi¬ 
ously consumer-oriented release. Microsoft was clearly focused on the 
touch experience. 
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These experiences reminded me of the issues I faced a few years ago 
initially implementing Windows Vista. The interface was unfamiliar 
and in many ways not as productive as Windows XP. Changes such 
as UAC were good ideas in theory but annoying in practice, and they 
gave the OS a bad reputation. I see similarities with Windows 8, such 
as the need to switch between two completely dissimilar UI environ¬ 
ments to open programs and the need to use more clicks, time, and 
effort to accomplish tasks than in Windows 7. Like in Vista, I’ve also 
run into device incompatibility issues where Windows 8 doesn’t have 
drivers for some of the hardware that worked fine with Windows 7. 
If I ran into this problem in my small sample, larger organizations are 
sure to be hit with it. Businesses considering adopting Windows 8 are 
not going to experience a painless rollout by any means. User training 
will be required, as will hardware and software upgrades. 

Are there benefits to running Windows 8? Obviously for a Win¬ 
dows tablet install, Windows 8 is a no-brainier and the only game 
in town. There are also advantages for the desktop. Windows 8 does 
seem to boot slightly faster. It is a bit easier to run the most common 
programs you use because the Start menu buttons are bigger and 
easier to click. Windows To Go lets you boot from a USB device. Cli¬ 
ent Hyper-V lets you run virtual machines (VMs) on the desktop. It 
offers better integration with SkyDrive. Windows 8 promises to offer 
better battery life on a laptop, but I haven’t tested that. Whether 
these features are compelling enough for a business to undergo the 
pain of upgrade will depend on the specific needs of the organization. 

Overall, Microsoft’s UI goal seems to be to give you a similar experi¬ 
ence for all types of devices as the company is moving to put the (for¬ 
merly named Metro) interface on the Windows phone, the upcoming 
Windows RT, Windows 8 tablets, and desktop versions of Windows 8 
as well. On the surface (no pun intended), that goal seems laudable. 
But upon reflection and practice, I’m pretty sure that I don’t care for 
the one-size-fits-all approach. I would prefer that each device deliver 
the optimum performance and experience for that type of device. 


Businesses 
considering 
adopting 
Windows 8 are 
not going to 
experience a 
painless rollout 
by any means. 
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I am sure this isn't 
the experience 
Microsoft was 
going for with 
this obviously 
consumer- 
oriented release. 


Saddling the desktop with tiles and an interface better suited to a 
touch device doesn’t seem like a move forward. 

Windows 8 is clearly Microsoft’s move to the future, but as with 
Vista, it might take Microsoft a release or so to really get it right. I 
do think Microsoft needed a better mobile platform. Windows Phone 
and Windows RT with the interface formerly known as Metro are a 
great start in that direction. Windows 8 on the desktop could clearly 
be better. Little things like restoring the Start Menu would go a long 
way toward making the Windows 8 transition easier for users with 
standard desktops and laptops that don’t have touch screens. But the 
right answer might be to have different UIs that are optimized for the 
different platforms. 

The tablet implementation will keep Windows 8 from being another 
Vista. However, business adoption could be a different story. While 
it remains to be seen, businesses will probably use Windows 8 on 
devices such as an iPad. But they might be better off waiting until 
the next release or the next service pack where Microsoft can tweak 
the interface to make it better for non-touch enabled devices before 
deploying Windows 8 to their desktops. ■ 

InstantDoc ID 144536 
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Windows 8 Updates, 
Microsoft’s New Direction, 
and Windows Phone’s 
Worst Enemy 


T his month, we look at some major changes in how Microsoft 
perceives itself and how that affects the products and services 
we’ll see in the coming year. It all starts with Windows 8 , which 
isn’t your grandfather’s Windows. 



New Update Schedule 

Microsoft plans to update Windows 8 quite a bit differently than it 
has previous Windows versions. This is in keeping with the notion 
that Window 8 is itself quite a bit different than its predecessors— 
that is, it’s a new mobile platform and not a further evolution of 
desktop-based systems such as Windows 7. But now we have a clue 
as to how this updating will take place. 

My Windows Weekly cohost, Mary Jo Foley, has previously written 
about the new Windows 8 updating scheme as a project code-named 
Blue, a collection of rollups of fixes and updates akin to what Micro¬ 
soft previously called a service pack or feature pack. My own sources 
have told me that Microsoft would update Windows on an ongoing 
basis, and that it might do away with version numbers completely. 
The next Windows RT, for example, will be called Windows RT, not 
Windows RT 2 or whatever. 

With all this as a backdrop, consider what’s already happened. 
Microsoft has delivered what it calls a cumulative update for Win¬ 
dows 8 (and, as it turns out, Windows Server 2012 ). But this is no 
simple rollup: This update includes “fundamental” improvements to 
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Windows 8 in the areas of increased power efficiency to extend bat¬ 
tery life, performance improvements in Metro-style apps and the Start 
screen, improved audio and video playback, and improved applica¬ 
tion and driver compatibility. This is, in other words, a pretty serious 
change. 

The timing is interesting. As Microsoft’s Steven Sinofsky explained 
in a blog post , the firm would have previously delivered this kind of 
update as part of a service pack, some 9 to 12 months after the general 
availability of that Windows version. But this is arriving, incredibly, 
before Windows 8 is released, during the 3-month lag between RTM 
(August 1, 2012) and general availability (October 26, 2012). This rate 
of change is also not an exception. Confirming my previous reports 
that Windows 8 would be updated on an ongoing basis, Mr. Sinofsky 
referred to a “new pace of delivering high quality updates to Win¬ 
dows.” This is the way things will be going forward, and this isn’t a 
one-off update. 

Amazingly, it’s also not the only change Microsoft is making to 
Windows 8 prior to the public release of the OS. Just days before 
the cumulative update was announced, Microsoft also revealed that 
it would be updating virtually every single Metro-style app that 
ships with Windows 8, often in meaningful ways. This includes the 
SkyDrive, Mail, Calendar, People, Messaging, Photos, Maps, Bing, 
Finance, Travel, Sports, News, Weather, Video, Music, and Games 
apps. Since then, the firm has been busy pumping out the updates, 
and I expect the changes to continue well after Windows 8 is out in 
the world. 

Microsoft Drops Software from Company Description 

When Apple dropped the word “computer” from its corporate name 
in 2007, it was sending an explicit message that it was moving from 
being primarily a provider of personal computers to being a consumer 
electronics company. Microsoft in early October 2012 announced 
a similar directional change via an open letter to shareholders. 
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customers, partners, and employees. In this letter, ostensibly writ¬ 
ten by CEO Steve Ballmer, the firm revealed it was no longer in the 
software business. Instead, Microsoft’s business is now devices and 
services. 

This sounds ludicrous on the face of things, and yes, of course, 
creating software will still be the primary activity at Microsoft for 
some time to come. But this move, like the suddenly swift-moving 
Windows software updating process, mirrors a change that’s been 
brewing at Microsoft for years now. Even its traditional software 
products are increasingly being delivered as services now. Here’s 
how Ballmer explained it. 

“This is a significant shift, both in what we do and how we see 
ourselves—as a devices and services company,” he wrote. “It impacts 
how we run the company, how we develop new experiences, and 
how we take products to market for both consumers and businesses. 
The work we have accomplished in the past year and the roadmap in 
front of us brings this to life. ” 

Aside from some predictable angst from those customers who are 
having trouble seeing beyond their locally installed copies of Office 
and on-premises Exchange servers, the questions that arise are big. 
As the letter says, Microsoft now has about 1.3 billion customers, 
640,000 partners, and 8 million developers that use, support, or oth¬ 
erwise interact with its products. A change of this magnitude doesn’t 
just affect Microsoft—it affects the entire ecosystem. 

We’ve seen hints of these changes and the negative effects. For 
example, as Microsoft began backing away from the traditional Win¬ 
dows Small Business Server (SBS) product line and toward a Windows 
Essentials product that dispensed with on-premises servers in favor 
of online services, partners complained: The traditional SBS product 
provided them with an ongoing revenue stream and customer rela¬ 
tionships whereas Essentials was basically just a one-time setup with 
occasional consulting, even though one might logically argue that 
Essentials more correctly addresses the market realities of the day. 
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Microsoft responded to the SBS kerfuffle by explaining that its 
products always changed and that partners would need to adapt 
to new opportunities and, hopefully, new revenue streams. But it’s 
not hard to extrapolate from this and see how Microsoft’s broader 
move to devices and services will affect far more companies. 

For example, though the Ballmer letter claims that no one company 
can adequately serve the 1.3 billion people who use Windows PCs 
(i.e., Microsoft isn’t Apple), one has to wonder what the effect will 
be on the firm’s PC-maker partners if the Surface devices are truly 
successful. Indeed, Microsoft has stated that the first two Surface 
devices—one based on Windows 8, one on Windows RT—are simply 
the start of a family of Surface-branded products. 

What would the impact be if Microsoft decided that the only way 
to save Windows Phone from irrelevancy was to take control of the 
platform and release its own Surface phone? Aside from the harm 
to supposedly favored partner Nokia—already treading a fine line, 
solvency-wise—as well as Samsung, HTC, and others, Microsoft 
would also be sending a message that its strategy of the past few 
years has been a complete bust. With Android and iOS already own¬ 
ing about 90 percent of the smartphone market between them, it’s 
unclear how the platform could ever recover. 

The trouble with the do-it-yourself path that Microsoft has appar¬ 
ently taken is that the end game is obvious: You will literally be 
doing it yourself. And it’s thus perhaps no coincidence that Micro¬ 
soft now has dozens of retail stores across North America with 
hundreds of “pop-up” stores planned for the holidays. 

Windows Phone's Last Stand? 

While we’re speaking of recently completed Microsoft products, it’s 
hard not to escape the fact that its smartphone platform hasn’t taken 
off in any meaningful way in the market. Windows Phone 8, which 
is based on Windows 8 internally, and not Windows CE as with pre¬ 
vious versions, certainly has the technical and usability chops to 


14 Windows IT Pro / December 2012 


WWW.WINDOWSITPRO.COM 



Need to Know 


differentiate itself from the competition. But customer apathy about it 
is hard to ignore. And there’s no sign that will change any time soon. 

Recent missteps by Apple—replacing Google Maps in iOS 6 with 
a broken Apple app, for example—don’t seem to have changed the 
dynamics of the smartphone market. According to IDC, Google’s 
Android OS controls about 70 percent of the smartphone market, with 
Apple’s iOS in second place with 17 percent. Microsoft takes fifth 
with Windows Phone, behind RIM BlackBerry and even Symbian, 
with just 3.5 percent of the market. 

Now, even that 3.5 percent represents a jump over the same quar¬ 
ter in the previous year, when Windows Phone accounted for just 2.3 
percent. But single digits are single digits. 

Aside from the aforementioned “Surface phone” Hail Mary pass, 
Microsoft does have a few options should Windows Phone continue 
to tank. It could always adapt full-blown Windows to handsets, which 
isn’t such a huge leap considering that Windows 8 (its ARM-based 
versions) can run on tablets with screens as small as 7". But maybe 
there’s another way. 

Remember, Microsoft is recasting itself as a devices and services 
company. But who says that it needs to actually make those devices? 
The open letter says, “The full value of [Microsoft’s] software will be 
seen and felt in how people use devices and services at work and in 
their personal lives. ” That software could run on any device. And in 
the enterprise, the path is even clearer: Microsoft’s customers “count 
on [its] world-class business applications ... rely on [its] technology 
to manage employee corporate identity and to protect their corporate 
data ... and look to Microsoft to realize the benefits of the cloud.” 
Nothing about that vision requires Microsoft devices. 

That said, I suspect Microsoft will push Windows Phone far beyond 
the point where it makes sense anymore. But a future Microsoft that’s 
closer to its roots—a more agnostic supplier of platforms and ser¬ 
vices, if you will—has a certain logic to it as well. ■ 

InstantDoc ID 144497 
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I n my past two columns— “Automating PowerShell Reports, Part 1 ” 
and “Automating PowerShell Reports, Part 2 ” —I’ve been preparing 
you to be able to use PowerShell to create Active Directory (AD) 
reports automatically and, even better, to deliver those reports to your 
mailboxes. To that end. I’ve examined PowerShell’s send-mailmessage 
command (which will do the emailing for you) and talked about how 
to ensure that send-mailmessage can successfully send that email in a 
modern secured email infrastructure. Now you’re ready to assemble 
a report that PowerShell can run for you daily. 

You would like to get a report of all the users who haven’t logged 
on in 120 days, and get that sorted by how long it has been since they 
logged on. That would be this command in PowerShell: 

search-adaccount -usersonly -accountinactive 

-timespan "120"| select samaccountname,lastlogondate| 
sort lastlogondate|ft -auto 

To automate this, you would put the above command into a text file— 
with one change (to capture output in a text file)—add to that file 
a send-mailmessage command that uses the text file as the body of 
the message, save the file containing the two commands with a .psl 
extension, then schedule the command to run daily in Task Scheduler: 
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powershell -executionpolicy remotesigned -command <nameoffi1e.psl> 

First, create the .psl file. Find a folder where you’ll store your Power- 
Shell commands and report outputs. (I use a folder named C:\scripts 
for that, but anything will work.) Then, create a new text file to hold 
the PowerShell commands that will run your report. (I call mine 
oldusers.psl.) Open the file in Notepad, and type these three com¬ 
mands on separate lines: 

import-module activedirectory 

search-adaccount -usersonly -accountinactive -timespan "120"| 
select samaccountname,lastlogondate|sort lastlogondate|ft 
-auto > C:\scripts\oldusers.txt 

send-mailmessage -to <youremail> -from <powershell@yourcompany> 
-subject "Daily inactive user report" 

-smtpserver <yoursmtpservername> 

-body (get-content C:\scripts\oldusers.txt|out-string) 

I added that first lin e—import-module activedirectory —because AD 
commands need the AD module. Next, I added > C:\scripts\oldusers 
.txt to tell PowerShell to store the result of that long search-adaccount 
command in a text file. (Again, you’re welcome to use any filename 
and folder you want.) Now, the send-mailmessage command looks 
like the ones we talked about a couple months ago, but you have to 
personalize it to your company’s email and domains, as well as the 
filename specified in the get-content command (which has to match 
the name of the file that you just wrote out with the search-adaccount 
command). So, if you were joe@bigfirm.com with a local SMTP 
server at mail.bigfirm.com, the three lines would look like 

import-module activedirectory 

search-adaccount -usersonly -accountinactive -timespan "120"| 
select samaccountname,lastlogondate|sort lastlogondate|ft 
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-auto > c:\scripts\oldusers.txt 

send-mailmessage -to joe@bigfirm.com -from powershell@bigfirm.com 
-subject "Daily inactive user report" 

-smtpserver mail.bigfirm.com 

-body (get-content c:\scripts\oldusers.txt!out-string) 

You might reasonably ask why I didn’t just use the PowerShell 
pipeline to take search-adaccount’s output and stuff it into send- 
mailmessage’s -body parameter, making the two lines into one. Hon¬ 
estly, I felt that doing so would have resulted in history’s longest, 
least readable PowerShell line. 

The .psl file is probably ready to be scheduled, but it never hurts 
to check it. Now, you’re running a PowerShell script and by default 
Windows systems won’t run scripts, which is why it’s nice that the 
powershell.exe command includes a command (- executionpolicy 
remotesigned ) to let you temporarily override that. Use that to invoke 
your script (even from inside a PowerShell prompt): 

powershell -executionpolicy remotesigned 
-command <scriptname> 

In the case of my example, you’d type 

powershell -executionpolicy remotesigned 
-command C:\scripts\oldusers.txt 

If that doesn’t work, and you don’t get a message, first check for 
typos. Then, from a PowerShell command prompt, try just the search- 
adaccount command without the > filename end to it. Look again for 
typos, and ensure that you’re not running from an account that doesn’t 
have the privilege to do search-adaccount commands. Once that’s done, 
run the command again, restoring the > filename part. Doing so will 
give you the file oldusers.txt (or whatever you decided to call it), so 
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you can then run the send-mailmessage command by itself. If that fails, 
it’s probably an SMTP permission problem, as I discussed in the afore¬ 
mentioned articles. Use the advice in those articles to smoke it out. 

Finally, schedule the task from Task Manager. Create a new task, 
giving it any name you want, and define its Triggers (e.g., when to 
run it—just set it On a schedule, and as often as you like) and its 
Actions. For Actions, tell it to Start a program (with a Program/script 
value of powershell) , and in Add arguments, specify the rest of the 
command, as in -executionpolicy remotesigned -command C:\scripts\ 
oldusers.psl. Tell it to run the command under System. Once you’ve 
scheduled the new task in Task Manager, you needn’t wait: Make it 
run immediately by right-clicking it and choosing Run. 

Best of luck with your first automated report! Now start thinking 
about what else PowerShell can deliver to your mailbox! ■ 
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The Essential Guide to 

Migrating SharePoint 
Environments to the Cloud 


A general truism is that SharePoint en¬ 
vironments are only as valuable as 
the data that they contain. A Share- 
Point environment can be visually stunning, 
display complex dashboards, images and 
scrolling text, but if the data isn’t updated 
regularly, relevant to the needs of the users 
and maintained to provide the most valuable 
information, chances are it will not be adopt¬ 
ed by the user community. Once the valuable 
“eggs” are uploaded to this “basket” IT must 
ensure that they are suitably protected, which 
leads to the inevitable challenges inherent in 
backing up and planning for different disas¬ 
ter recovery situation for these complex, of¬ 
ten multi-tiered enterprise applications. 

Adding to this challenge, the continued 
evolution of cloud based technologies and 
services makes the planning and design pro¬ 
cess more complex. IT has to answer ques¬ 
tions about the cost effectiveness of existing 


SAN storage, ever increasing numbers of 
servers that need to be managed, and con¬ 
vince “management” that the best solution 
is in fact in place. While these technologies 
have been around for years, clients today are 
taking them more seriously and are more in¬ 
terested than ever in full or partial cloud solu¬ 
tions for SharePoint. 

Adding to this challenge, the continued 
evolution of cloud based technologies and 
services makes the planning and design pro¬ 
cess more complex. IT has to answer ques¬ 
tions about the cost effectiveness of existing 
SAN storage, ever increasing numbers of 
servers that need to be managed, and con¬ 
vince “management” that the best solution 
is in fact in place. While these technologies 
have been around for years, clients today are 
taking them more seriously and are more in¬ 
terested than ever in full or partial cloud solu¬ 
tions for SharePoint. 
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Mapping Cloud Solutions to Your 
SharePoint Implementation 

There are many different categories of 
SharePoint implementations, and the needs 
and requirements vary greatly depending 
upon the core business goals that the im¬ 
plementation is attempting to meet. Some 
of the typical purposes of SharePoint imple¬ 
mentations include the following: 

• Application Hosting: Self-contained ap¬ 
plications (those that don’t have hooks 
into other data sources) are often well 
suited for migration to the web. Note 
that each cloud provider will have poli¬ 
cies about what type of applications (if 
any) can be uploaded or migrated to 
their environments. A general rule of 
thumb is to develop “sandboxed solu¬ 
tions” from Visual Studio to enhance 
compatibility with cloud-based envi¬ 
ronments. Note also that applications 
developed in SharePoint with a large 
number of hooks into databases and 
other sources of data may be difficult to 
move to a cloud service provider who 
doesn’t provide flexibility over server, 
network and firewall configurations. 

• Document Management: SharePoint 
implementations dedicated to pure 
document management may or may not 
be good candidates for cloud implemen¬ 
tations. There need to be convincing 


arguments in the areas of cost, usability, 
performance and manageability for it 
to make sense to most organizations. 

If all the users are internal to the com¬ 
pany and located in offices that have 
high bandwidth access to the SharePoint 
farm, moving the data to the cloud can 
be hard to justify. But for larger com¬ 
panies, with branch offices that might 
have slower access to the central Share- 
Point farm, and for organizations that 
interact with a large number of non¬ 
employees, cloud implementations can 
make sense. 

• Extranets: Typically good candidates 
for cloud implementations since some 
or all of the data needs to be consumed 
by external, trusted partners for whom 
accounts will need to be created, and 
those accounts typically are not in the 
production Active Directory Forest. Gen¬ 
erally a synchronization process needs 
to be implemented to synchronize data 
from a production SharePoint environ¬ 
ment (or file share) to specific sites on 
the Extranet. 

• Intranets: These are often good candi¬ 
dates for migration to the cloud, since a 
larger number of intranets are relatively 
simple, especially for smaller organiza¬ 
tions who are seeking to simply share 
forms, procedures, policies and news. 
Cloud based intranets can be especially 
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valuable to organizations with distribut¬ 
ed offices around the US or in multiple 
countries since internet bandwidth can 
be more robust than often congested 
WAN connections. 

• Internet sites: An excellent candidate 
for cloud implementations, since the 
infrastructure needs to be able to handle 
a large number of anonymous visitors 

at a time, and most cloud providers 
have high bandwidth connections to 
the internet. Also SharePoint licenses 
for handling unlimited users (as well as 
SQL Server and Windows Server) are 
expensive. 

Of course, many organizations use 
SharePoint to meet a combination of these 
needs, so when contemplating migrating to 
a cloud based SharePoint environment, a 
number of questions need to be answered: 

• Is your organization ready/able to store 
data outside of its immediate control? 

• How do the costs of the cloud solution 
compare to on premises? 

• What level of control (administration 
and governance) will you have over the 
cloud environment? 

• What level of development and cus¬ 
tomization of SharePoint is required for 
the solution and is it supported by the 
service provider? 


• What guarantees of performance, avail¬ 
ability, and reliability are being given by 
the cloud provider? 

Each organization must make its own de¬ 
cision on how a cloud environment does 
or does not fit into the overall SharePoint 
architecture. That being said, it does make 
sense for organizations to understand the 
pros and cons of full or partial cloud migra¬ 
tion of SharePoint farms and content to bet¬ 
ter understand where it might fit into the 
overall SharePoint strategy. For example. 
Company A might find that an Office 365 
SharePoint implementation is a cost effec¬ 
tive way to quickly provision an Extranet, 
but still keep their Intranet internal to the 
organization. Company B might find that 
a fully hosted SharePoint farm meets their 
Intranet needs, since they are a very dis¬ 
tributed organization with branch offices 
across the United States and limited WAN 
bandwidth between many of the remote of¬ 
fices. Company C might choose to simply 
experiment with a service such as Micro¬ 
soft’s Azure on a limited basis and test per¬ 
formance for future applications. 

Understanding Different Cloud 
Solutions 

It seems like new cloud based solutions 
pop up every day, so it’s impossible to list 
all the different options. However, there 


Special Advertising Supplement to Windows IT Pro magazine 


Sponsored by AvePoint 





are some popular options that can be cov¬ 
ered in terms of the basic services offered. 
This section gives a high level overview of 
a typical hosting company in the cloud as 
well as Microsoft’s Windows Azure and Of¬ 
fice 365 offerings are examined for the dif¬ 
ferent options they provide. 

Finding a company to host your servers in 
a private or public cloud environment can 
be a good option for organizations that have 
one or more of the following constraints: 

• Limited space in data centers, or lack of 
a reliable data center 

• Limited IT staff to support the servers 

• Lack of expertise in supporting the oper¬ 
ating systems and SharePoint software 

• Insufficient disaster recovery tools and 
processes to meet required service level 
agreements for the applications in question 

• Financial constraints where monthly 
payments make more sense than up¬ 
front payments - therefore a shift from 
capital expenditures to operational ones 

In these cases a company such as Rack- 
Space can simply house the servers and 
provide power, battery backup, data and 
configuration backup as well as disaster 
recovery and availability options. Ama¬ 
zon provides a range of services such as 
Amazon Elastic Compute Cloud (EC2) that 
allows you to commission one, or even 


hundreds of server instances. A key thing 
to look for is complete control over the 
server image, including choice of server 
operating system, memory, CPU, storage 
options, and service level agreements. 
Control over the network configuration is 
also important, and some vendors offer 
control over IP range as well as connectiv¬ 
ity to your corporate network environment 
via IPSec VPN or other methods. Amazon 
even offers High I/O Instances that can 
provide customers with random I/O rates 
over 100,000 IOPS. 

Windows Azure also provides a wide 
range of services, including Execution 
Model, Data Management, Connectivity, 
Business Analytics, Identity, Media and 
Commerce. From a consumer standpoint, 
the following 4 options are presented 
when you sign up for an Azure trial, and 
they give insight into several components 
of interest to SharePoint administrators: 

• New Hosted Service: A hosted service in 
Windows Azure consists of an applica¬ 
tion that is designed to run in the hosted 
service and XML configuration files that 
define how the hosted service should run. 
A hosted service can contain any number 
of Web, Worker, or VM roles, such as a 
Windows Server 2008 R2 image. 

• New Storage Account: Blobs, Tables, 
and Queues are all available as part of 
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the Windows Azure Storage account 
and accessible from both inside and 
outside the Windows Azure platform 
by using classes in the Windows Azure 
Storage Client Software Development 
Kit (SDK). 

• New Database Server: This service 
allows you to create a new SQL da¬ 
tabase server or create a new SQL 
database. 

• Connect: This service allows you to 
configure a connection between one or 
more computers or VMs in your local 
network and Web roles or Worker roles 
running in Azure. 

Microsoft Office 365 offers a wide range 
of tools and services that can include 
Exchange, SharePoint, Lync and Office 
products. A number of plans are offered, 
including Small Business (Plan PI), Mid¬ 
size Business & Enterprise (Plan El), and 
Midsize Business & Enterprise (Plan E3), 
with each offering different tools and 
functionality. Focusing on the SharePoint- 
specific capabilities of Office 365, some 
features that differ by plan include: 

• My Sites are not offered under all plans 

• Enterprise Features (Access, Business 
Connectivity Services (BCS), InfoPath 
Forms, Excel and Visio Services) are 
not offered under all plans 


• Office Web Apps are view only under 
some plans 

• Users can be given rights to be an ad¬ 
ministrator of tenant, site or site collec¬ 
tion only under some plans 

• Pooled storage starts at 10 gigabytes 
(GB) base customer storage plus 500 
megabytes (MB) per enterprise user 
subscription license (E1-E4), and then 
additional storage is available by the GB 
on a billable basis 

• A file upload limit of 250 megabytes 
(MB) per file is the limit 

In some cases trial plans are available as 
well, and a test drive of the Office 365 ser¬ 
vices can be beneficial so the organization 
gets some firsthand experience. Specifically 
the administrative interface should be re¬ 
viewed, since it is very different from stan¬ 
dard, on premises SharePoint 2010 Central 
Administration. Figure 1 shows a compari¬ 
son between a SharePoint 2010 on-premis- 
es Central Administration page on the left, 
and a Microsoft Office 365 SharePoint ad¬ 
ministration page on the right, and this il¬ 
lustrates the dramatic difference in number 
of management tools on the two platforms. 
To sum up the differences: Farm Adminis¬ 
trators of an Office 365 environment have 
a very limited set of tools to choose from, 
so they will primarily be tasked with user 
management. 
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Figure 1 


In summary, due to the vast number of 
options for cloud based storage and com¬ 
puting services, it is recommended that you 
consider carefully the options, pros and 
cons of different options, possibly engage 
consulting services to assist, and plan for 
migration to and management of your serv¬ 
ers and content once they are in the cloud. 

Migrating Content to the Cloud 

While some service providers may offer mi¬ 
gration services, typically it is the respon¬ 
sibility of the organization to migrate its 
own content to the cloud. Therefore it is 
important to understand what, if any, tools 
the service provider will support and allow 
to be used for migrations. Some providers 
“lock down” the servers that host the Share- 
Point site collections, and therefore won’t 
allow any agents or software to be installed 
on the servers, limiting which migration 
tools can be used. Organizations should 


look for tools that don’t require any server 
components to be installed, or choose in¬ 
dustry standard tools, such as those from 
AvePoint that cloud service providers are 
more likely to support. 

Table 1 categorizes content into different 
standard types, and summarizes challenges 
that might be encountered, as well as sug¬ 
gesting migration methods and variables to be 
aware of. The table also provides a ranking of 
the relative difficulty of the migration process 
to the cloud for each type of content. This is 
based on the author’s experience with numer¬ 
ous organizations over the past decade. 

In general, it is recommended that your 
organization choose one or more products to 
assist with the migration of SharePoint con¬ 
tent to a cloud based environment and then 
monitor and manage the content as well as 
the site collections and sites that contain the 
data. In general, it makes fiscal and logistical 
sense to choose a single vendor who offers 
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Type of 
Content 

Challenges 

Recommended Migration Tool 

Relative 
Difficulty of 
MignUluu 

il-SM Easy 
io Difficult) 

d* Excel arid 
ocher standard hie 
types 

Easiest to migrate* unless multiple 
versions (major and minor) need to be 
migrated. 

Small numbers of files cao be manually migrated; larger 
numbers of files should be migrated via (bird-party 
migration (ool. Third-party tools offer many features and 
options for what is migrated and what information is 
maintained. 

1 

NorwMicrosoft 
file types and 

laTgC fllCS 

More challenging to migrate to (he cloud, 
need to verify the provider allows upload 
of the file lypes and maximum upload size. 

Small numbers of files can be manually migrated: larger 
numbers of files should be migrated via third-party 
migration (ool. 

2 

SharePutm Forms. 

Typically ea£y 10 ml grille i t" InfciPaLh Or 
A5PX forms, 

Small numbers of files cm be manually migrated; larger 
numbers of files should be migrated via (bird-party 
migration tool. 

2 

SharePoinl Web 
Pfl^R 

Typically easy to migralt, especially if 
from i Ike products ( ShancFomt 2(110 
source to ShaneFoint 1(110 destination in 
the cloud), 

Small numbers of wch pages can be migrated by hand, or 
larger numbers ean be migrated by third-party tools. 

2 

SharePmnt Wikii, 
Blogs 

Typically easy to migrate, especially if 
from Like products (SharePoint 2010 
source to SharePoml 2010 destination in 
die cloud). 

Due to die number of pages involved, these are typically 
migrated by third-party tools. 

2 

ShaHfpDLTU 

Designer Based 
Woridl^ 

Check with the cloud provider to ensurr 
SharcPoint Designer is cnahlcd. 

Workflows created in SharcPoint designer can be 
replk-ated using some 3rd parly ton Is and can be copied 
by hand. 

3 

SharePoint Web 
Parts 

Depends on complexity of the wieb pan, if 
they are off She shelf or custom des igned. 

Ifweb parts are compiled as .WSP they are typically 
migrated and installed manually. Web parts that are 
sandboxed solutions will migrate without issue to the 
cloud. Those that use the object model will require 
recompilation and possible rewriting. 

3 

Branding 

Check with she cloud provider to ensure 
SharePoint Designer is enabled. 

Depends on the level of complexity of the branding. 

4 

.NET 

Applications 

Check with the cloud provider to see if 
these ean he migrated to their 
environment. 

Most migration tools won't address ,NET applicaiions. 
Furtbcnnnre* it is an important to ask your cloud provider 
if they wilt support your .NFT application and if so what 
version of .NFT is supported. 

5 

Databases 

Access databases can he published lo 
SharcPoint in the cloud using Access 
Services, hut olher databases can he 
challenging. 

Mosl migration tools don 1 ! address dalahase migrations, 
so the process wi 11 need to be manual. Furthermore, few* 
access databases are "web ready" and most will rccjulre a 
significant amount of development to rebuild forms, 
reports and queries to be web enabled. 

5 

SharcPoint 

Workflows 

(WWF) 

Very difficult to migrate in most cases, 
largely due to stateful nature of work flow's, 
and because (hey arc frequently 
customized through SharcPoint Designer 
or Visual Studio. 

Only certain workflows can be migrated by third-party 
tools, others need to be migrated by hand or re-created In 
the cloud environment. Implications related to Sandbox 
solutions also arise with WWF based workflow's which 
are object model only. 

5 


Table 1 
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the range of products to meet most if not all 
of these needs. By selecting a single vendor, 
costs for the software can often be reduced 
through bundling of products, support goes 
through one source, and finger pointing be¬ 
tween vendors can be avoided. 
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Figure 2 


As shown in Figure 2, AvePoint offers 
a number of tools that are supported by 
on-premises SharePoint 2010 as well as 
Office 365, including Administrator, Con¬ 
tent Manager, Granular Content Backup 
and Replicator. While some of these tools 
are more limited in terms of functional¬ 
ity in the Office 365 environment due to 
restrictions put in place by Microsoft, a 
wide range of tools are still available to 
facilitate content migration and manage¬ 
ment of the various “moving parts” of a 
SharePoint environment. Figure 3 shows 
an example of the Content Manager mod¬ 
ule in use with two Office 365 based 
SharePoint 2010 environments. This tool 
has no footprint on either Office 365 en¬ 
vironment, and is able to interface with 
the environments without any changes to 


the servers or even to SharePoint 2010. 
Tools include the ability to create filters 
to determine which content should be 
moved or copied (for example items with 
a Modified Time within 1 month of to¬ 
day), a Mappings tool to perform User 
Mapping (in case user names are differ¬ 
ent between environments, such as the 
on-premises and the cloud based envi¬ 
ronments, which is often the case) and 
create Storage Policies which allow you 
to determine what logical device to use, 
as well as retention rules. 

Figure 4 shows an example of creat¬ 
ing an Ad Hoc granular backup from 
the Granular Backup and Restore tool. 
This allows detailed customization of 
the backup rules and processes, and in¬ 
cludes the ability to create Storage Poli¬ 
cies (as mentioned above), Filter Policies, 
Include Versions of documents and list 
items, set Data Compression levels and 
configure other options such as using 
Data Encryption. Plans can be configured 
for regularly occurring backups as well, 
including options for daily, weekly and 
monthly backups. Options are available 
for the granularity of the backup, where 
an “Item” level backup results in slower 
backup speeds, but allows for item-level 
and version level restores. 

The AvePoint DocAve Replicator tool 
can be an extremely useful in a number 
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Figure 4 
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of circumstances where data and con¬ 
tent needs to be copied from “Point A” 
to “Point B” and is capable of performing 
two-way replication, which is critical for 
some organizations who have multiple 
live SharePoint farms in different loca¬ 
tions. Figure 5 shows a screen capture 
of a replication profile configuration pro¬ 
cess with the Replication Options visible. 
The Replication Options include check 
boxes to clarify which components will 
be replicated at the site collection level, 
site level, list level and item level (not in¬ 
cluded in the screen capture). Note that 
the configuration tool offers tools for Rep¬ 


lication Options, Conflict Options, Filter 
Options, and Mapping Options as high¬ 
lighted in the image. The Conflict Options 
are “Data source always wins” or “Data 
destination always wins” with Conflict 
Actions of “Skip” or “Overwrite” and the 
Filter Options are extremely granular so 
the administrator of the tool can be ex¬ 
tremely specific about the criteria for rep¬ 
licating content. For example, replication 
can be configured to only occur if a cus¬ 
tom property in a text field matches a cer¬ 
tain value. So end users could manually 
tag items for replication or not depending 
upon the nature of the content. 
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Going Forward 

Continuing the series of Essential Guides, 
this guide focuses on the challenges in¬ 
volved with migration content and data to 
cloud based environments. A first hurdle is 
to determine whether the content housed 
and managed by SharePoint is well suited 
to partial or full migration to the cloud, 
and a second hurdle is to then choose the 
best suited solution. A full survey of cloud 
based hosting solutions isn’t feasible, but 
some details were provided on Office 365 
and Windows Azure service offerings. 

It is strongly recommended that any orga¬ 
nization interested in migrating SharePoint 
content fully or partially to the cloud in¬ 
vestigate migration and management tools 
from AvePoint, which can assist with lega¬ 
cy SharePoint versions such as SharePoint 
2003 or SharePoint 2007 as well as fully 
support SharePoint 2010. Furthermore, Ave¬ 
Point DocAve Online provides cloud hosted 
tools for performing many valuable tasks 
including managing content, backup and 
restore and replicating content between 
SharePoint locations. AvePoint tools also 
provide many other powerful capabilities 
that are advantageous to SharePoint farm, 
site collection and site administrators. 
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New Features in 
Windows Server 2012 
Server Manager 

A completely changed tool 
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M icrosoft Windows Server 2012 includes a lot of great changes 
that make it the best version of the Windows Server OS to 
date. None of these changes will leap out at you faster than 
the new Windows Server 2012 Server Manager. In fact, with the new 
Windows 8-style interface. Server Manager is displayed immediately 
after your system starts up and is your primary management tool. 
Here are some of the most outstanding new features. 

© All-new Ul — Without a doubt, the first thing you’ll notice about 
Server 2012 Server Manager is the new UI. On a Server 2012 installa¬ 
tion using the full graphical shell option as opposed to the Server 
Core mode. Server Manager appears immediately after the system 
boots so that it’s the first thing you see. The old Server Manager, 
with its Roles and Features navigation pane, has been replaced with 
a Windows 8-style interface. 


© Dashboard — Server 2012 Server Manager opens initially into 
the Dashboard display. The Dashboard is the primary entry point for 
a Server 2012 system in the non-Server Core mode. The Welcome 
pane presents three Metro-style boxes: Quick Start, What’s New, and 
Learn More. The Quick Start box shows a list of steps you need to 
take to manage your environment, such as Configure this local server. 
Add roles and features, and so on. Additional options at the top of the 
Dashboard window are Manage, Tools View, and Help. 
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( 3 ) Local server management — As you would expect, Server 2012 
Server Manager lets you perform management of the local server that 
it’s running on. Clicking the Configure this local server link lets you 
modify most of the important local computer settings, including the 
computer name, domain name, firewall status, and remote desktop 
and remote management, as well as NIC teaming. By clicking the Add 
roles and features link, you can add server roles such as Hyper-V or 
Active Directory Domain Servers or features such as BitLocker Drive 
Encryption and Failover Clustering to the local server. 

(4) Multi-server management — Unlike Server Manager in previ¬ 
ous versions of Windows Server, Server 2012 Server Manager lets you 
easily manage multiple remote Windows Server systems. Clicking the 
Add other servers to manage link lets you add other computers on the 
network that can be located through Active Directory (AD), DNS, or 
an IP address. After they’re added, the remote servers show up in the 
All Servers pane. 

( 5 ) Server groups — Building on the ability to perform remote 
server management. Server 2012 Server Manager also lets you per¬ 
form group management. Any action you perform on the group is 
performed on all the servers in the group. You can create a group to 
manage multiple servers by clicking the Create a server group link on 
the Dashboard, then providing a group name and selecting the serv¬ 
ers to be included in the group. 

(6) Event logs — Server Manager lets you access event logs for both 
the local server and remote servers. If you’re in the Local or All Serv¬ 
ers view, you can see events for both the local server and for remote 
servers by clicking either Local Server or All Servers in the navigation 
pane and scrolling down to the Events section. Events can be filtered, 
and clicking any event brings up its details. 
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Windows Server 
2012 Server 
Manager lets you 
easily manage 
multiple remote 
Windows Server 
systems. 


(7) Services — The new Server Manager also lets you manage ser¬ 
vices on the local server and the remote servers that are being man¬ 
aged. If you’re in the Local or All Servers view, scrolling down past 
the Event section displays Server Manager’s Service section. Right- 
clicking a service brings up a context menu that you can use to start, 
stop, restart, pause, and resume the service. 

(s) Best Practices Analyzer — Another completely new feature in 
Server Manager is the ability to run the Best Practices Analyzer (BPA). 
By selecting the Tasks drop-down menu, you can start a BPA scan on 
the local server or a remote server. 


( 9 ) Performance — Again, if you’ve selected the local server or a 
remote server, then scrolling down past the BPA section displays the 
Performance section. The Tasks menu lets you select the performance 
counters you want to track. Right-clicking the server name lets you 
start and stop the collection of performance statistics. 

(10) Administrative tools — With the once-handy Start menu gone. 
Server 2012 needed a way to help you access some of the common 
administrative functions; the Tools option at the top of the Server 
Manager display provides this access. The Tools menu displays a list 
of management options that looks a lot like what you used to see on 
the old Administrative Tools menu. Some of these management 
options include iSCSI Initiator, ODBC Data Sources, Resource Moni¬ 
tor, Services, and Task Scheduler. 


If you don’t have a Server 2012 system installed, you can still get 
some hands-on experience with the new Server Manager from Micro¬ 
soft’s Windows Server 2012 Virtual Labs . ■ 

InstantDoc ID 144227 
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Enterprise Identity 


The Year in Identity 

Enterprise identity saw good progress 
in 2012, but was it good enough? 

A s we approach the end of the year, many people take the 
opportunity to review the significant trends or happenings in 
the past 12 months in their area of interest. I’m no exception. 
And in 2012, a lot really has happened in enterprise identity—both 
positive and negative. 

On the positive side, progress has been made in cloud identity as 
this market continues to mature. For example, a number of identity- 
related specifications and standards are seeing an increase in adop¬ 
tion. This is a critical area for cloud identity because if you’re a cloud 
service provider (such as a Software as a Service—SaaS—vendor) 
and there’s no standard for how to manage your identity needs, you 
have to make it up as you go. Given the explosion of cloud-based 
services, it’s a recipe for disaster. System for Cross-domain Identity 
Management (SCIM) , an emerging standard designed to simplify 
and standardize user provisioning for cloud-based applications, has 
moved from specification to IETF standard. (The name behind the 
acronym has changed a few times along the way, too: It began as 
“Simple Cloud Identity Management.”) 

Another big step forward for web-based authentication and autho¬ 
rization is the rapid adoption of OAuth 2.0 . This token-based security 
method is quickly becoming the de facto standard for authenticating 
mobile applications to cloud-based services (e.g., Google ) through 
the service’s OAuth 2.0 APIs. It’s a very good thing, and much sim¬ 
pler than having your mobile app redirect you to the device’s mobile 
browser to authenticate with the service. If you’ve ever used a Twitter 
app on your phone or tablet, you’ve used OAuth 2.0. 
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OAuth 2.0 is powerful, but it’s also complicated. As a result, there 
are a number of ways that vendors can use OAuth 2.0 for authentica¬ 
tion—but standardization, again, is what’s needed. OpenID Connect 
is a simple identity protocol that rides on top of the more complex 
OAuth 2.0 specification, making it easy to provide identity manage¬ 
ment using OAuth 2.0. This protocol has grown in popularity in 2012 
and is a leading reason for OAuth 2.0’s success. (If you aren’t confused 
enough yet, check this out: Facebook designed its own authentica¬ 
tion protocol called Facebook Connect . Why, you might ask? Because 
Facebook wants the ability to provide a much greater amount of social 
media information to its partners than OAuth/OpenID Connect pro¬ 
vides. Which is why I avoid using my Facebook credentials for single 
sign-on—SSO—whenever possible.) 

At the macroscopic level, Identity as a Service (IDaaS) has really 
entered the mainstream. Once a fringe idea, the concept of outsourc¬ 
ing your connections and SSO to cloud service providers instead of 
maintaining it yourself (e.g.. Active Directory Federation Services— 
AD FS) has grown in popularity as the number of SaaS providers that 
an enterprise uses has grown. IDaaS is a simple, fast, and generally 
cost-effective way to maintain what Gartner dubs an identity bridge 
between the enterprise and the cloud . The IDaaS market has become 
increasingly crowded as both well-established players (such as Micro¬ 
soft, Salesforce.com, and Ping Identity) and newcomers (such as 
Intel) have introduced products. As if to underscore the validity of 
this market, the Gartner analyst responsible for this segment (Mark 
Diodati) joined one of the players (Ping Identity). 

The Cloud Identity Summit was bursting at the seams, indicating 
an ever-increasing interest in cloud identity and how to use it. Craig 
Burton got everyone’s attention at the summit by declaring that Secu¬ 
rity Assertion Markup Language (SAML)—the predominant protocol 
used today for claims-based authentication—is dead . It still works; 
it’s just being rendered obsolete by newer protocols, such as the ones 
I’ve mentioned above, that have more capability. 
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The National Strategy for Trusted Identities in Cyberspace (NSTIC) — 
pronounced n-stick —federal government initiative also moved forward 
in establishing its administrative structure and initial pilot programs, 
albeit more slowly than companies accustomed to working on “web 
time” would prefer. NSTIC is a government-sponsored but privately 
led initiative to establish an identity ecosystem or marketplace of 
trusted identity and service providers with a higher degree of security 
than is available today. Many important players in private industry 
have generally embraced NSTIC, whereas others maintain a “wait and 
see” attitude. 

Just like last year, the dramatic increase in the number of mobile 
devices continues. In September, Apple CEO Tim Cook announced 
that the company had sold 400 million iOS devices, and that the aver¬ 
age person has more than 100 apps on his or her device. (Someone’s 
loading the deck, because no one I know has that many!) Most of 
these apps have a cloud-based back end, which requires authentica¬ 
tion of the mobile device’s user. The one-to-many relationship between 
mobile devices and their apps—and each day’s increase of thousands, 
even tens of thousands, of new devices flooding the market—points 
out the central role of identity in everything we do. Five years ago, 
most of us didn’t have to authenticate to play music in our house. 

On the consumer front, users are becoming more and more familiar 
with federated sign-on using Facebook, Google, Microsoft, and iden¬ 
tity providers to simplify logging on to their web services. Two-factor 
authentication (password plus mobile phone code) is becoming a 
little more common, thanks to the ubiquity of mobile phones and the 
support of big players such as Facebook and Google. 

Of course, the year wouldn’t be complete without some epic 
identity-management failures. First, 100,000 IEEE user IDs and pass¬ 
words were left in plaintext on an FTP server for a month before they 
were discovered by a teaching assistant . (How much longer would 
they have been hanging out there if he hadn’t said anything?) Second, 
453,491 email addresses and passwords in plaintext were stolen from 
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Yahoo! Voices. An analysis by a Scandinavian security researcher 
found that the top four passwords were 123456, password, welcome 
(at least the users were polite to the hackers), and ninja (really?). 
Third, and probably the biggest identity steal of the year (I say “prob¬ 
ably” because these have become so tediously common that I tend 
to lose track), was Linkedln ’s loss and subsequent publication of 6.5 
million password hashes . Finally, in the facepalm -worthiest incident 
of all, a French citizen unintentionally breached the security of the 
French Central Bank over the phone by entering that most popular 
password, 123456 , when prompted for a code by an automated sys¬ 
tem. (No, this isn’t an article by The Onion.) 

Aside from the ongoing litany of exposed identity stores, the need 
for secure, scalable identity management is outstripping the pace at 
which standards are being ratified and adopted. When you look at all 
the nodes on the network—businesses and their employees, mobile 
devices, service providers, general consumers—and all the ways these 
nodes can connect with each other, as well as how few connections 
have actually been made so far, it’s clear that identity management 
as a profession needs to get ahead of the supernova of security that’s 
speeding our way. ■ 

InstantDoc ID 144484 
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V-Ray gives you 
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into VMware® and 
Hyper-V* 
environments 


THE TOP 10 

Best Practices for Protecting Microsoft 
Services running on Hyper-V 


Windows Server 2012 brings a completely new level of scalability and functionality to virtu¬ 
alization with the latest version of Hyper-V. In this top ten we will look at the ten most import 
best practices when protecting Microsoft services running on Windows Server 2012 Hyper-V 


Virtual machines should be backed up from the Hyper-V host - A virtual machine 
has one or more virtual hard disks which can be backed up at the Hyper-V host level 
while ensuring application integrity through the Hyper-V VSS pass-through capability. 
The VSS pass-through calls the VSS writers registered in the guest OS within the VM 
when backed up from the host. Host-level backup can ensure application integrity, so 
the units of restoration would be the entire VM, files from the file system, entire appli¬ 
cations, or even granular application data like databases and mailboxes. This level of 
protection can also be achieved if the backup was performed within the actual guest 
OS. While host-based protection methods are recommended, the decision to backup 
from the host or from within the virtual machine is a decision each IT professional will 
need to make. 

Protect all supporting services for an application - Many applications rely on oth¬ 
er services such as Active Directory or a database. For complete protection ensure the 
application and its dependent services such as Domain Controllers are also protected. 


Request a call from 
a specialist ► 



Use disk-based storage for short-term backup storage - Using disk for the stor¬ 
age of backups allows for very easy access to backup data and fast restore actions. 
Additionally the use of disk for backups allows for the storage of “differences only” or 
“deltas” between different backups allowing optimization of disk usage while main¬ 
taining the ability to restore from many different historical points in time. 


^Symantec 


Ensure backups are also stored offsite - Local disk usage provides many benefits 
for backups however it is critical to also ensure backups are stored offsite to provide 
complete resiliency to different scenarios so supplement local disk backup storage 
with offsite storage which could be disk, tape or public cloud based. 

Use modern operating systems where possible - Modern operating systems such 
as Windows 2008 and above are optimized for virtualization and not only have per¬ 
formance parity when virtualized as running on bare metal hardware (not virtualized) 


Confidence in a connected world. 




but also allow for integrated backups through Hyper-V integration services without interruption to the virtual machines services. Older 
operating systems may require the virtual machine to be paused during backup actions at the Hyper-V host. 

6 I Replication is not a replacement for backups - A number of services have replication capabilities however this does not mean 

backups are not necessary. An accidental deletion or a logical corruption would replicate throughout an environment and only tradi¬ 
tional backups would enable restoration of lost or corrupted data. 

7 | Use Hyper-V Replica sparingly - Hyper-V Replica is a powerful asynchronous replication solution for disaster recovery however it 

should never be the first choice for protection of a service. If the service has its own disaster recovery capabilities, for example is the 
case with Exchange, SQL Server and Active Directory Domain Controllers then use the services native capabilities. Additionally some 
services specifically do not support being rolled back in time which is the case of an unplanned Hyper-V Replica failover so ensure 
any service that is protected with Hyper-V Replica will not experience problems should the VM be rolled back in time a few minutes. 
A good example of a service that cannot be rolled back in time is Active Directory. 

If SMB is used, ensure a solution is in place to protect content on the file share - Windows Server 2012 introduces SMB 3.0 
which provides support for storage of Hyper-V virtual machines and SQL databases. When running Hyper-V virtual machines on SMB, 
ensure that the protection solution has support for remote VSS protection. 

Snapshots should not be used for backup purposes - Snapshots provide a very useful capability to save a point-in-time view of a 
virtual machine which is useful in testing scenarios however snapshots should never be used as a replacement for backups. Applica¬ 
tions running in a VM are not aware when a snapshot is applied so processes to ensure application integrity and ensure transactions 
are not replayed cannot be called. Supported restore processes have capabilities to ensure no undesired side effects. 

Test your backups for virtual machines the same way you would test physical backups - Backups are taken so they can be 
restored when needed so it’s important to know backups taken can be used in the manner required so test recovery processes often 
and any time a change is made. 
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Navigating Storage Spaces 
and Pools in Windows 
Server 2012 and Windows 8 

How to virtualize Windows storage 
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W ith new versions of Windows hitting the shelves, we’re see¬ 
ing lots of exciting new storage features. Both Windows 
Server 2012 and Windows 8 deliver a new functionality 
called Storage Spaces and Pools, which provides users with a number 
of new capabilities, including the following: 

• A method of virtualizing storage 

• RAID functionality that would otherwise be available only 
through expensive storage hardware 
• Support for thin provisioning 
• Scripted management via PowerShell 

• Redundant data copies that can be used to repair file system problems 
• Integration with Cluster Shared Volumes (CSVs) 

You’ll find the UI for Storage Spaces and Pools in the Control Panel 
Storage Spaces applet (Windows 8) and in Server Manager (Server 
2012); you can also use PowerShell cmdlets (both OSs). For the most 
part, this article will refer to the Server Manager interface. The Win¬ 
dows 8 client version is simplified and differs greatly in appearance. 
However, the underlying technology is the same. 

Supported Storage 

You can set up Storage Spaces and Pools on a wide variety of storage 
hardware. The supported bus types are Universal Serial Bus (USB), 
Serial ATA (SATA), and Serial Attached SCSI (SAS). 
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Although you can use Storage Spaces and Pools in conjunction 
with LUNs through either Fibre Channel or iSCSI, it isn’t a supported 
configuration. Users with such high-end storage solutions should look 
to their respective storage vendors to make best use of the functional¬ 
ity that they provide. Storage Spaces and Pools is geared toward less 
expensive storage solutions, to introduce functionality that would 
otherwise be unavailable. 

Creating a Pool and a Storage Space 

A pool is simply a logical grouping of physical disks, whereas a stor¬ 
age space is a virtualized disk that can be used like a physical disk. 
For this reason, using Storage Spaces and Pools to create a storage 
space is a two-step process: First, you create the pool; second, you 
carve out a storage space—called a virtual disk in Windows Server. 
Be sure not to confuse Storage Spaces and Pools virtual disks with 
Virtual Hard Disk (VHD) or VHDX files. The terms are similar but 
they don’t have anything to do with each other. 

You can use the Server Manager interface to create your functional 
pool. You start with a default pool called the Primordial Pool, which 
is a list of physical disks attached to the computer that can be pooled. 
The Primordial Pool doesn’t count as a functional pool. The wizard 
will prompt you for the name of the pool and the physical disks to be 
added. Once created, the new pool will show up in the Server Man¬ 
ager interface. (Although Windows allows you to create a multitude 
of pools, it’s recommended that you not create more than four.) The 
following three-line PowerShell script performs the same operation: 

Sstsubsys = (Get-StorageSubsystem) 

$physd = (Get-PhysicalDisk PhysicalDiskl, PhysicalDisk2, 
PhysicalDisk3, PhysicalDisk4) 

New-StoragePool -FriendlyName MyPooll 

-StorageSubsystemFriendlyName Sstsubs.FriendlyName 
-Physical Disks $physd 
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Now that you have a pool, you can create a virtual disk (called a stor¬ 
age space in Windows 8). The wizard will prompt you for the name 
of the storage pool used, the name of the virtual disk, the type of stor¬ 
age layout, the provisioning type (thin or fixed), and the virtual disk’s 
size. I’ll review the choices in the next section, but when the wizard 
is complete, you’ll see the virtual disk that Figure 1 shows. The fol¬ 
lowing PowerShell command performs the same operation: 

New-VirtualDisk -StoragePoolFriendlyName MyPooll -FriendlyName 
MyVirtualDisk -Resi1iencySettingName Mirror -UseMaximumSize 


Figure 1 

Creating a Virtual 
Disk 
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You can use this virtual disk just as if you were using a physical disk. 
You can configure it to either Master Boot Record (MBR) or GUID 
Partition Table (GPT) partition style. 

Understanding the Choices 

When you’re creating a virtual disk, you have three basic choices: 
the type of storage layout (i.e., simple, mirror, parity), provisioning 
type (thin or fixed), and virtual disk size. Other choices, such as pool 
name and virtual disk name, are more arbitrary in nature. 
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Layout. The storage layout is simply the type of RAID you want to 
use. You can choose Simple (RAID 0 or stripe set without parity ), Mirror 
(RAID 1), or Parity (RAID 5 or stripe set with parity). You can create a 
simple set with one or more physical disks from the pool. Parity sets 
require three or more physical disks to be available in the pool. Finally, 
mirror sets can be created using either two or more physical disks for a 
two-way mirror, or five or more physical disks for a three-way mirror. 

Provisioning type. The provisioning type is a choice between thin 
provisioning and fixed (aka thick) provisioning. This choice deter¬ 
mines whether you want to pre-allocate all the sectors involved in 
your virtual disk or allow them to be mapped to physical sectors on 
a “just in time” basis. The virtual disk size is the size of the virtual 
disk that you want to create. If you select fixed provisioning, you’ll 
be limited to a size based on the available physical disks in the pool. 
However, if you select thin provisioning, you can enter a size that’s 
much greater than the physically available space. As you need them, 
you can add physical disks into the pool. 

Virtual disk size. The size of the virtual disk depends on what 
was selected for provisioning type, storage layout, and the size of the 
physical disks that were used. If you plan to create just one virtual 
disk in your pool, you can simply select the Maximum size option. 
Note that the Maximum size option will be grayed out if you select 
thin provisioning. 

More on Thin Provisioning 

Thin provisioning is a technology that allocates blocks of storage 
on an as-needed, just-in-time basis. In fixed provisioning, physical 
blocks are allocated to the virtual disk whether they’re in use or not. 
In thin provisioning, only the used blocks are mapped to physical 
blocks. This lets you provision a much larger virtual disk than what 
would be possible with fixed provisioning. If the virtual disk starts 
to push toward the boundary of what can be mapped to a physical 
block, you can add more physical disks. 
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The benefit of thin provisioning is that storage space isn’t stranded. 
That is, if you want to have a 10TB virtual disk, you don’t need to 
provide the physical space for it up front. You can provision a thin 
virtual disk that is 10TB and add additional physical disks as needed. 
To make this even more efficient, NTFS has been enhanced to work 
with the storage subsystem to reclaim space after files are deleted 
or optimized. Windows has also been optimized to work more effi¬ 
ciently with high-end storage solutions that include thin provisioning 
functionality. This includes the ability to reclaim unused sectors, like 
what Storage Spaces and Pools is doing. 


Figure 2 

Windows 
Storage Stack 


Understanding the Architecture 

Now, let’s review what’s going on under the hood to make all this 
happen. Figure 2 shows the Windows storage stack. The SSP driver 

(SpacePort.sys) plugs in to 
the stack just above Par¬ 
tition Manager (Partmgr 
.sys). When a physical 
disk is brought into a pool, 
a partition is created on 
it and the physical disk 
is hidden from the UI. In 
the next step, when a vir¬ 
tual disk is carved out of 
the pool, said virtual disk 
is then presented back to 
the UI as a logical disk. 
The physical disks are still observable in Device Manager, but a new 
Microsoft Storage Space Device is also listed for each virtual disk 
that’s created. 

Figure 3 depicts how the partitions would look on the physical disks. 
This covers both legacy MBR disks and disks using the GPT scheme. 
The partition will have a small area dedicated to storing metadata 
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for Storage Spaces and 
Pools. The bulk of the par¬ 
tition will be used for actu¬ 
ally storing file data. Once 
a virtual disk is created, it 
can be configured as either 
MBR or GPT, then utilized 
as a physical disk normally 
would be. It can be format¬ 
ted with either NTFS or 
Microsoft’s new Resilient 
File System (ReFS). 

Deep Dive to Understand Additional Options 

Storage Spaces and Pools can be configured with additional granu¬ 
larity to help increase performance. It’s helpful to understand this 
granularity when you’re adding physical disks to a preexisting virtual 
disk. Particularly in Windows 8, Storage Spaces and Pools is simple 
to use, but if you would like to have more control over your storage 
options. Storage Spaces and Pools can provide that too. 

For the most part, you can experience this granularity when you 
use the PowerShell cmdlet New-VirtualDisk. The elements we’re con¬ 
cerned with are NumberOfColumns (specifies the number of columns 
to create), NumberOfDataCopies (specifies the number of data cop¬ 
ies to create), and ResiliencySettingName (specifies the name of the 
desired resiliency setting—for example. Simple, Mirror, or Parity). 

Number of columns. Figure 4 shows a diagram consisting of three 
disks. The disks are divided into units. As you stripe across the 
disks, you’re able to write simultaneously to 
each spindle. In the RAID world, this is known 
as a stripe set without parity. Roughly, this is 
what you’re doing with a virtual disk with a 
“simple” layout. 
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How Partitions Look 
on Physical Disks 
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Simple Layout 
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Figure 5 

Differences Between 
Simple, Mirror, 
and Parity 
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Each physical disk is a column in your virtual disk. The more phys¬ 
ical disks that are available when the virtual disk is created, the more 
columns it will have—and thus, the more simultaneous writes can 
occur. This works similarly with parity sets. The more physical disks 
you start out with, the more columns will be in your virtual disk. The 
only difference is that some of the space is lost to the parity bits. Win¬ 
dows will scale to use as many as eight columns when a new virtual 
disk is created (even more if they’re created using PowerShell). 

The element used to control the columns is NumberOfColumns. 
The following is an example of how a user can manually control 
this element and the ResiliencySettingName element. (This command 
would create a virtual disk with three columns.) 

New-Vi rtualDi sk -FriendlyName NewVDisk 

-StoragePoolFriendlyName MyPool -NumberOfColumns 3 
-ResiliencySettingName simple -UseMaximumSize 

Mixing columns with data copies. A data copy is just that: a copy 
of the data. If you have redundancy in the form of a completely stand¬ 
alone instance, you’ll have more than one copy of the data. Other¬ 
wise, you’ll have just one copy. 

• A simple space will have just one copy. 

• Mirror spaces will have either two or three copies. 

• Parity spaces have just one copy. 


Only the mirror space has 
a complete copy of the data 
instance, as you see in Fig¬ 
ure 5. Although the par¬ 
ity space is fault-tolerant, 
it doesn’t achieve that by 
using a completely sepa¬ 
rate instance of the data. 
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Therefore, it still has only a single data copy. A three-way mirror 
would have three data copies. The downside to the extra data copy is 
that writes have to be carried out multiple times. This makes mirror 
spaces slower on writes. One of the drawbacks to mirroring is the 
slower write speeds due to having to write the same data multiple 
times. 

With enough physical disks available, Windows can mitigate 
some of the slower write speeds by striping within each data copy. 
In the example that Figure 6 shows, 
four physical disks were used to cre¬ 
ate a mirror space. So, within each 
data copy, you can write to two disks 
simultaneously. Mirror spaces cre¬ 
ated using the GUI can have as many 
as four columns (per data copy), but 
mirror spaces created using Power- 
Shell can have more than four columns. (Note that the number of 
columns is only per each data copy.) 

You can use the New-VirtualDisk element, NumberOfDataCopies, 
to state the number of data copies. As an example, look at the follow¬ 
ing PowerShell command, which will create a two-way mirror space 
that has six columns, similar to Figure 7. 
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Figure 6 

Four Physical Disks 
Used to Create a 
Mirror Space 


New-VirtualDisk 
-FriendlyName 
NewVDisk 

-StoragePoolFriendlyName 
MyPool 

-NumberOfColumns 6 
-NumberOfDataCopies 2 
-Resi1iencySettingName 
mirror 

-UseMaximumSize 
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Figure 7 

A Two-Way Mirror 
Space with 
Six Columns 
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Figure 8 

Two Simple Spaces 


r 


More on Columns 

In Storage Spaces, the number of columns typically goes hand in 
hand with the number of physical disks available when the virtual 

disk was created. The number of col¬ 
umns can be less than the number of 
disks, but not greater. Columns are 
important because they represent how 
many disks you can access simultane¬ 
ously. For example, in Figure 8, there 
are two simple spaces. They both use 
two disks, but the one on the left is 
using one column whereas the one 
on the right is using two columns. 
For the simple space on the right, you 
can carry out I/O on both disks at the 
same time, making the speed theoreti¬ 
cally twice as fast. 

The number of columns used by a 
storage space is set when the space is created. If you use the GUI, the 
highest number of possible columns will be configured. The follow¬ 
ing logic applies: 

• If using the GUI to create a space, the highest column setting that 
it will use is eight. 

• Using the PowerShell cmdlet New-VirtualDisk will allow you to 
configure a NumberOfColumns setting higher than eight. 

• Parity spaces can’t have more than eight columns (even if created 
with PowerShell). 

Adding Space to Spaces 

Adding disk space to a preexisting storage space can be tricky. Adding 
to a storage space is all about understanding columns and data cop¬ 
ies. In Figure 9, a simple space was created using two physical disks. 
If you wanted to extend the virtual disk, you would first need to add 


Diskl 


0 

1 

2 

3 

4 

5 

Disk2 

6 

7 

8 

9 

10 

11 

1 1 


Column 


Diskl Disk2 


0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 


Column Column 


52 


Windows IT Pro / December 2012 


WWW.WINDOWSITPRO.COM 


































What Would Microsoft Support Do? 


a new physical disk to the storage pool, if one 
wasn’t available. However, if an attempt is made 
to extend the virtual disk after the disk is added, 
the task would still fail. The error indicates that 
physical resources don’t exist to support adding 
more space to the virtual disk, even though you 
just added a new blank disk to the pool. 

The problem is in the number of columns. Windows must follow the 
same striping model that was used when the space was created. You 
can’t simply add an additional column. If this were allowed, you would 
lose all benefit of striping when the original two disks became full. In 
addition, you can’t tack the new disk onto the bottom of one of the cur¬ 
rent columns (for much the same reason). To extend a virtual disk, you 
need to add a number of disks equal to or greater than the number of 
columns in said virtual disk. Doing so will allow striping to continue in 
the fashion for which it was originally configured. The same is true in 
both simple and parity spaces. You must add a number of disks equal 
to or greater than the number of columns in the virtual disk. 

When it comes to mirror spaces, you have to take into account both 
the number of columns and the number of data copies. For example, 
a two-way mirror created with four physical disks would look like 
Figure 10. NumberOfDataCopies equals 2, and NumberOfColumns 
equals 2. The number of disks needed 
to extend this virtual disk can be found 
using the following formula: 


NumberOfDataCopies x 
NumberOfColumns 
2x2 = 4 
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Figure 9 

One Simple Space 
Created with Two 
Physical Disks 


Figure 10 

A Two-Way Mirror 
Created with Four 
Physical Disks 


Four physical disks are needed to extend the example space, similarly to 
Figure 11. The same formula can be used for simple and parity spaces. 
However, NumberOfDataCopies will always equal 1 for both layouts. 
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Figure 11 

Four Physical Disks 
Extending the 
Example Space 


r 


Discovering the Number of 
Data Copies and Columns 

If you don’t know how many data 
copies and/or columns that your vir¬ 
tual disk has, it’s easy enough to dis¬ 
cover the answer by using the GUI 
to find the NumberOfColumns and 
NumberOfDataCopies values. The fol¬ 
lowing PowerShell command would 
reveal the same information: 


Get-VirtualDisk -FriendlyName MyVirtualDisk | ft FriendlyName, 
NumberOfColumns, NumberOfDataCopies 

ReFS on a Mirror 

I want to mention an additional benefit of using Storage Spaces and 
Pools mirrors. Earlier, I referred to Microsoft’s new file system, ReFS. If 
files or metadata were to become corrupt on ReFS, Windows can use 
the redundant copy on the other side of the mirror to repair the dam¬ 
age. This is made possible, in part, by the checksums that both the data 
and metadata have in ReFS. 

Powerful Storage Features 

Storage Spaces and Pools brings functionality to people using low- to 
mid-range storage that they otherwise would not have access to. It’s 
easy to configure, can be configured at a granular level for those who 
want to utilize additional options, and brings additional resiliency to 
ReFS. Storage Spaces and Pools supports thin provisioning, and like 
most things in Server 2012 and Windows 8, it can be scripted using 
PowerShell. Out of all the new storage goodies in Windows, I think 
this will be the one that people use the most. ■ 

InstantDoc ID 144558 
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FAQ 

Answers to Your Questions 

Q B How is email content in the Outlook Social 
■ Connector dependent on indexing? 

A m The Outlook Social Connector was introduced in Microsoft 
B Outlook 2007 but was ported backward for Outlook 2003 
and continues strong in Outlook 2010. When you enter an email 
address into an address field in Outlook, specifically a new email 
message, contact, or appointment. Outlook assembles information 
based on that email address and displays that information in the 
Social Connector pane. One of the components Outlook renders 
in the Social Connector pane is email messages received from that 
address. Outlook uses the Windows Search index to retrieve this 
information. 

I use the Social Connector pane to see if I’ve missed any communi¬ 
cation from the person to whom I’m addressing a new message. If the 
Search index isn’t up-to-date or isn’t working properly, the email infor¬ 
mation in the Social Connector pane won’t be up-to-date. If some of 
the email stores have been indexed, the results will show in the Social 
Connector pane, even if the index isn’t complete. 

I experienced that situation recently. Outlook re-indexed my local 
files, and when I brought up a specific email address, recent mes¬ 
sages were shown in the Social Connector pane—but not the most 
recent ones. As a result of a quick check of the Social Connector, I 
assumed I was current with this contact. 

Search indexing occurs in the background, controlled by Windows 
Search Service. You can configure what gets indexed within Outlook 
in the Search options section of Outlook Options, found at File, 
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A 


Options, Search, which Figure 1 shows. You can also access this from 
the Search tab of the Ribbon by clicking Search Tools, Search Options. 


Figure 1 

Setting Search Options 
in Outlook 2010 
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Figure 2 

Dialog Box Showing 
the Current Outlook 
Indexing Status 


To verify if Outlook still has items to index in Outlook 2010, you can 
check Search Tools under the Search tab of the Ribbon. (One annoy¬ 
ance in Outlook 2010 is that the Search tab isn’t present in the Ribbon 
unless the search field, found atop the main pane in Outlook folders, 
is highlighted.) To see Outlook’s current indexing status, select Search 
Tools, Indexing Status. If Windows Search Service is running and the 
current Outlook store is configured to be indexed, then the resulting 
window will indicate either that “Outlook has finished indexing all 
your items,” or it will show the number of items not yet indexed, as Fig¬ 
ure 2 shows. When indexing 
completes, all email items 
will appear properly in your 
Social Connector pane as 
expected. 

—William Lefkovics 
InstantDoc ID 143898 
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Q B What is Samba winbind and how can I use it to 
■ let users log on to a UNIX-Linux host with their 
Active Directory (AD)-defined Windows credentials? 

A a Samba winbind provides a unified login experience between 
■ UNIX-Linux and Windows systems by letting users log on 
to a UNIX-Linux host by using Windows domain credentials. 
Winbind does have some complexities you need to watch out for 
when configuring it, however. 

Winbind is a service that comes bundled with the free Samba soft¬ 
ware. Samba is a collection of software that enables UNIX and Linux 
platforms to access file and print services by using the SMB and 
Common Internet File System (CIFS) network protocols on Windows 
platforms and to provide file and print services to Windows clients 
using SMB and CIFS. 

Figure 3 illustrates winbind architecture. Note in the figure that 
winbind not only lets a UNIX-Linux user use a Windows domain for 
authentication, but it also allows the UNIX-Linux host to be joined to 
and authenticate to a Windows domain. 
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Figure 3 

Typical Winbind 
Architecture 
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A 


Winbind works against domain controllers (DCs) and domains on 
Windows Server 2008 and earlier. It doesn’t require changes on the 
Windows DC side; most changes are related to the UNIX-Linux client. 
The winbind solution is built on the winbind daemon (winbindd), 
a pluggable authentication module (PAM) called pam_winbind, 
a Name Service Switch (NSS) module called libnss_winbind, and a 
database file called winbindJdmap.tdb. 

The winbindd code includes a UNIX implementation of Microsoft 
remote procedure calls (RPCs). Winbindd uses RPCs to authenticate 
users against a Windows domain, to obtain Windows domain user 
and group details from a Windows DC, and to change the passwords 
of Windows accounts. 

The pam_winbind module enables users to log on to a UNIX-Linux 
host with their Windows credentials. The following is an excerpt of a 
sample PAM configuration file that enables the UNIX-Linux logon 
process to call on winbind for authenticating a user; in this particular 
example, pam_unix would reuse the credentials provided by the user 
if winbind authentication failed: 

login auth sufficient pam_winbind.so 

login auth required pam_unix.so null ok try_first_pass 

The libnss_winbind NSS module enables UNIX-Linux hosts and the 
services running on these hosts to call on a Windows DC for user 
password and group naming information. To use the winbind NSS 
module, you must edit the nsswitch.conf NSS configuration file as 
follows: 

passwd: files winbind 
group: files winbind 

You can find the nsswitch.conf file in the /etc directory (which also 
contains other configuration files) on your UNIX-Linux host. 
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The winbind Jdmap.tdb database contains mappings between a 
Windows user and group names and their corresponding UNIX-Linux 
User Identifiers (UIDs) and Group Identifiers (GIDs). When a user 
logs on to a UNIX-Linux host by using a Windows account, the UNIX- 
Linux host doesn’t understand the Windows account format. Also, 
Windows accounts can’t be used to set permissions on UNIX-Linux 
resources: UNIX-Linux access control settings require UIDs and GIDs. 
Therefore, winbind automatically creates a Windows user account-to- 
UNIX-Linux UID mapping for each new Windows user that logs on to 
a winbind-enabled UNIX-Linux host. 

The UIDs winbind uses for the Windows account mappings are 
defined in the Samba smb.conf configuration file. Administrators can 
set aside a range of UIDs and GIDs to be used by winbind on a UNIX- 
Linux host by setting the idmap parameters in the smb.conf Samba 
configuration file. For example, the following smb.conf entries set 
aside the UID range 2,000 to 3,000 and the GID range 2,000 to 3,000 
for use by winbind: 

idmap uid = 2000-3000 
idmap gid = 2000-3000 

These mappings must be defined on each UNIX-Linux host that users 
will log on to with Windows credentials. When defining the idmap 
UID and GID ranges for a host, you must make sure these ranges 
don’t overlap with locally defined UNIX-Linux users or groups. 

Also, standard winbind doesn’t include a feature to ensure that a 
Windows user is assigned the same UID on different UNIX-Linux 
hosts. This limitation explains why idmap can lead to inconsistencies 
if Windows users are logging on from different UNIX-Linux hosts and 
accessing shared resources such as NFS file servers. Because different 
UNIX-Linux hosts can map different UIDs, whether users can access 
a particular NFS resource might depend on what UID they use or, in 
other words, which UNIX-Linux host they use to access the resource. 
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A 


Some winbind implementations provide a solution to this problem 
based on the idmap_rid smb.conf configuration setting. The 
idmap_rid setting enables winbind daemons to generate unique UIDs 
and GIDs across a Windows domain; the uniqueness is based on 
mapping the Relative Identifier (RID) portion of a Windows SID to a 
UNIX/Linux UID or GID. 

You can find more information about how to set up winbind and 
its different components in the Samba-HOWTO Collection docu¬ 
mentation . You can also find commercial alternatives to Samba 
winbind, such as Quest Authentication Services (formerly known as 
Vintela Authentication Services, now owned by Dell via its acquisition 
of Quest) and Centrify DirectControl. Both solutions provide central¬ 
ized AD-based user and machine account management for Windows 
and UNIX-Linux clients. Compared to Samba winbind, these solu¬ 
tions offer much easier deployment and more configuration options, 
but those expanded choices obviously come at a price. 

—Jan De Clercq 
InstantDoc ID 144129 

Q a Can I use Microsoft SQL Server 2012 Standard 
■ with System Center 2012 SP1 even though SQL 
Server 2012 uses per-core licensing? 

A a The existing rights that were previously available with 
■ System Center 2012, namely the use of SQL Server Stan¬ 
dard to support the System Center 2012 management servers (but not 
for use by any other application or service), remain and extend to 
SQL Server 2012 Standard with System Center 2012 SP1, which adds 
support for SQL Server 2012. 

Even though SQL Server licensing changed with SQL Server 2012, 
it doesn’t affect the use of SQL Server 2012 Standard for the exclusive 
use of System Center 2012 SP1 management servers. As part of 
the System Center 2012 license, the customer has the right to use 
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SQL Server Standard to support the System Center management serv¬ 
ers. However, if you want to use SQL Server for more than just System 
Center 2012 purposes, you need to license the SQL Server instances 
per the usual SQL Server licensing. 

—John Savill 
InstantDoc ID 144276 

Q b Can I create a Windows Server 2012 failover 
■ cluster with a single node in it? 

A b Yes, you can create a Windows Server 2012 failover cluster 
■ with a single node in it. Typically, a failover cluster would 
have at least two nodes in the cluster to allow resources to actually 
fail over between nodes in a planned or unplanned scenario. How¬ 
ever, it’s possible to create a cluster with only a single node in it. 

This can be useful for learning scenarios, to look at cluster func¬ 
tionality without having a large hardware investment. It also allows 
you to take advantage of certain cluster features such as virtual 
machine (VM) service health monitoring, which can automatically 
restart a VM if a service within the VM fails a certain number of times. 

—John Savill 
InstantDoc ID 144088 

Q b What is Offloaded Data Transfer in Windows 
■ Server 2012? 

A b When Windows Server 2012 is connected to a storage array 
■ such as a SAN, it has access to very powerful hardware 
designed to move and copy data. When Server 2012 needs to move or 
copy data on a SAN, the OS reads the data into its buffer, then writes it 
back out, constantly reading and writing the data. This uses resources 
on the host server and slows down the actual copy-move action, as 
the SAN is capable of moving and copying far more efficiently. 
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A 


Offloaded Data Transfer (ODX) lets Server 2012 request that the 
SAN perform the move or copy actions directly, bypassing the host. 
This removes any performance hit on the Windows Server host and 
allows the SAN to perform the actions much faster. 

Most of the major SAN vendors are working with Microsoft to sup¬ 
port ODX in their SANs, which will allow any file move or copy oper¬ 
ation that goes through the file service APIs to be handled directly by 
the SAN. Some vendors that have tested and will have available ODX 
solutions include Dell, EMC, Fujitsu, HP, IBM, and NetApp. 

Some key scenarios where the speed difference would be signifi¬ 
cant would be moving a large virtual machine (VM) or even creating 
a new VM from a template on the SAN—the process can now take sec¬ 
onds instead of minutes. This same technology can be used between 
separate SANs that have support for cross-SAN ODX. 

If you’re using a SAN with Server 2012, definitely look for ODX 
support by the vendor, as it will give better disk performance and 
save resources on the actual host. For more information about ODX, 
see the Microsoft white paper “ Offloaded Data Transfer (ODX) with 
Intelligent Storage Arrays ODX ” and the ODX site at TechNet . ■ 

—John Savill 
InstantDoc ID 144028 
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Editors'^ 

The polls have dosed! 



O ur annual Windows IT Pro Editors’ Best and Community Choice 
award programs give us a unique way to recognize the hot¬ 
test products on the market for the current year. Our Editors’ 
Best program highlights products that Windows IT Pro editors and 
contributors believe are worthy of recognition, whereas our Com¬ 
munity Choice program lets readers like you decide which 
products are the best. 

Our editors always face a challenge when choosing their 
Editors’ Best favorites from such a competitive and multifaceted field. 
But we feel, as always, that this year’s winners show an unco m mon 
breadth of functionality and originality. As for Community Choice, 
we followed the same process as in previous years by opening up 
the Community Choice nomination process to all. We let you nomi¬ 
nate your favorite products and services, built the voting survey 
from there, and let everyone participate in the final voting phase. 

In these pages, you’ll find our Gold, Silver, and Bronze Editors’ 
Best winners in each category directly adjacent to your Community 
Choice winners. Sometimes our editors and readers have agreed 
on favorite products and services in a given category, but 
more often they haven’t. Do you agree with the choices our 
editors have made? Or do the picks that our readers have made 
carry more weight? Let us know! Regardless of whether these win¬ 
ners were chosen by editors or readers, you can be sure that all these 
products are worthy of serious consideration if you’re in the market 
for a new tool. 
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Cover Story 


Best Active Directory/ 

Group Policy Product 

Editors'Best 

Gold: RadiantOne Virtual Directory Server 

Radiant Logic 

Silver: ADManager Plus 

ManageEngine 

Bronze: ActiveRoles Server 

Dell (formerly Quest Software) 

Why It Won 

More than ever, Active Directory (AD) isn't the only identity store 
that IT pros need to deal with. There are UNIX/Linux directories, HR 
databases, and application identity databases, and they probably 
don't communicate with one another. And now, you must also pre¬ 
sent a unified identity namespace to whatever identity bridge (on¬ 
premises federation servers or cloud-based Identity as a Service— 
IDaaS) you'll use to extend your identity to the cloud for Software as 
a Service (SaaS) applications. RadiantOne Virtual Directory Server 
(VDS) is a fast, flexible, and relatively inexpensive solution compared 
with traditional metadirectory service implementations. Its biggest 
benefit is that it unifies your AD implementation and other identities 
into an enterprise directory, but once you have the product in place, 
there are additional unique capabilities it can provide you. 


Best Antivirus/Anti-Malware Product 

Editors' Best 

Gold: Symantec Endpoint Protection 
Symantec 

Silver: ESET Endpoint Security 
ESET 

Bronze: GFIVIPRE Antivirus Business 

GE! Software 


Symantec. 


Why It Won 

IT pros look for effective and reputable endpoint antivirus solutions 
that won't bog systems down. Symantec Endpoint Protection 
continues to fulfill that need with a lightweight solution that 
provides security for both physical and virtual systems. The solution 
leverages the company's security-based reputation technology, 
Symantec Insight, which provides valuable features such as browser 
intrusion prevention, enhanced client deployment, recovery 
capabilities, and support for Linux and Apple Macintosh systems. 
Symantec continues to be a leader in the security industry by 
providing quality and lightweight endpoint security solutions. 



Community Choice 

Gold: NetWrix Active Directory Change Reporter 

NetWrix 


Silver: ADManager Plus 

ManageEngine 

Bronze: Centrify Suite 

Centrify 



urMstWrix 

ACTIVE DIRECTORY 
CHANGE REPORTER 


Community Choice 

Gold: Malwarebytes for Small Business 

Malwarebytes 

Silver: Symantec Endpoint Protection 

Symantec 

Bronze: Kaspersky Anti-Virus 
Kaspersky Lab 



"Netwrix's Active Directory Change Reporter is 
slick—a great time saver for us!" 

Other Hot Products in This Year's Community Choice Survey 

Dell ActiveRoles Server (formerly Quest Software) 

DameWare Remote Support (formerly DameWare NT Utilities) 

Avecto Privilege Guard 


"Malwarebytes is top of the line when it comes to killing 
tough viruses!" 

Other Hot Products in This Year's Community Choice Survey 

McAfee SaaS Endpoint Protection Suite 
Sophos Endpoint Protection 
ESET NOD32 Antivirus 
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Best Auditing/Compliance Product 
Editors'Best 

Gold: Blackbird Privilege Explorer for File System 
Blackbird Group 

Silver: STEALTHbits Data & Access Governance 
STEALTHbits Technologies 

Bronze: Centrify Suite Standard Edition 

Centrify 

Why It Won 

Although Microsoft SharePoint has the greatest mindshare at the 
moment, the reality is that the majority of corporate data is still 
kept on file servers. One of the most difficult management tasks 
for Windows administrators is figuring out what network resources 
a particular user has access to. Blackbird Privilege Explorer for File 
System gives you insight into user access in both historical and 
real-time modes. And what puts Blackbird Privilege Explorer for File 
System ahead of the competition is its"per heartbeat" licensing, 
which charges only for active users instead of every user account. 
This makes it affordable for organizations such as universities, 
which often have a moderate number of active students but a far 
greater number of slightly active alumni accounts. 


Community Choice 

Gold: NetWrix Change Reporter Suite 

NetWrix 


Silver: DocAve Report Center for 
Microsoft SharePoint 2010 
AvePoint 



a NetWrix 

CHANGE 

REPDHTEfl SUITE 


Bronze: NetlQ Secure Configuration 
Manager 

NetlQ 


"NetWrix Change Reporter Suite is great when the 
auditors show up—I just hand them the reports." 

Other Hot Products in This Year's Community Choice Survey 

Centrify Suite Enterprise Edition 
ManageEngine ADAudit Plus 
AxcelerControlPoint 


Editors'Best and Community Choice Awards 


Best Backup and Recovery Product 


Editors' Best 


Gold: Veeam Backup & Replication 

Veeam Software 


Silver: AcronisTrue Image 

Acronis 


i: 


Bronze: EMC Avamar 

EMC 


Why It Won 

In today's increasingly virtual world, Veeam Backup & Replication 
is rising in prominence and power. Built specifically to provide 
fast backup and recovery of virtual machines (VMs), whether on 
VMware or Hyper-V, Veeam Backup & Replication lets you protect 
your entire virtual infrastructure from a unified console. It offers 
industry-leading features such as Instant VM Recovery, Instant 
File-Level Recovery, 2-in-1 backup and replication, and built-in 
de-duplication. Our own Alan Sugano wrote a glowing recommen¬ 
dation for this product in the September 2012 issue of Windows 
IT Pro: "I was so impressed with Veeam Backup & Replication that 
I replaced my existing virtualization backup solution with it. In 
addition, I now recommend it to my clients as the preferred backup 
solution in a vSphere 5 environment. I can't think of a stronger 
recommendation than that." 


Community Choice 

Gold: Veeam Backup & Replication 
Veeam Software 

Silver: Backup Exec 

Symantec 

Bronze: Acronis Backup & Recovery 
Acronis 


"VEEAM rocks! Backup nightmares are ancient history 
now" 

Other Hot Products in This Year's Community Choice Survey 

AvePoint DocAve Backup and Recovery for Microsoft SharePoint 2010 

NetlQ PlateSpin Protect 

CommVaultSimpana 
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Best Cloud Computing Product 

Editors'Best 

Gold: Triplt 

Concur Technologies 

Silver: Dropbox 

Dropbox 

Bronze: Unified Email Management (UEM) 

Mimecast 

Why It Won 

Triplt isn't, strictly speaking, an IT pro application, but it's quickly 
becoming a must-have for anyone who travels regularly for busi¬ 
ness—including IT pros. If you've never used it, Triplt is a cloud service 
that takes travel itineraries, hotel reservations, rental car reservations, 
and a variety of other types of travel information (such a sairbnb.com 
reservations) and consolidates them into a simple and easy-to-use web 
service. The Triplt app is available for all mobile platforms. Its classic 
app front-end/cloud back-end architecture provides the traveler with 
a pocket reference for his or her travel. If you upgrade to Triplt Pro, you 
get real-time flight alerts (at the same time the gate agents get them), 
baggage claim notifications, and the ability to immediately share travel 
information with a trusted group. The business version allows a travel 
organizer to manage a team's travel schedules as well. It's on my short 
list of indispensable apps/cloud services on any mobile platform I use. 


Trtpff 

Organize your travel 


Community Choice 

Gold: Dropbox 
Dropbox 

Silver: Google Apps for Business 
Google 

Bronze: Amazon Web Services 
Amazon Web Services 


Dropbox 


Best Deployment/ 
Configuration Product 


Editors'Best 

Gold: Specops Deploy 
Specops Software 

Silver: Desktop Authority 

Dell (formerly Quest Software) 


SPECOPS 


Bronze: VMware vCenter Configuration Manager 

VMware 


Why It Won 

The process of manually rolling out an OS across an organization's 
network can be tedious and time consuming. Although there are 
several third-party deployment products that can help automate 
the process, Specops Deploy is an exceptional deployment tool 
for any IT pro because of its usability, painless installation, virtual 
application deployment capabilities, and ability to leverage Active 
Directory (AD) and Group Policy. Specops Deploy requires no 
additional software, and its real-time feedback capabilities and 
competitive pricing makes this deployment solution an easy choice 
as well. 


Community Choice 

Gold: VMware vCenter Configuration Manager 

VMware 

Silver: ZENworks Configuration Management 

Novell 

Bronze: XenDesktop vmware 

Citrix Systems 


"VMware vCenter Configuration Manager— 
no comment necessary because it does all the talking!" 


"DropBox is dead easy to use—lets you quickly share items 
by literally dropping them in a box for people to access!" 

Other Hot Products in This Year's Community Choice Survey 

AvePoint DocAve Online for Microsoft SharePoint 
NetlQ Cloud Manager 
SkyDox Business Edition 


Other Hot Products in This Year's Community Choice Survey 

Symantec Altiris Deployment Solution 
Dell KACE K2000 Deployment Appliance 
SmartDeploy Enterprise 
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Editors'Best and Community Choice Awards 



Most Overused IT Buzzwords 


1. 

Cloud (by far) 

6. Consumerization 


2. 

Big data 

7. Best practice 


3. 

Synergy 

8. Realtime 


4. 

Governance 

9. Low-hanging fruit 


5. 

Bring Your Own 

Device (BYOD) 

10. ROI 



Best Hardware: Server 


Editors'Best 

Gold: HP ProLiant DL380p Gen8 

up __ 

Silver: PowerEdge R815 Rack Server 
Dell 

Bronze: Cisco UCS C260 M2 Rack Server 
Cisco Systems 

Why It Won 

The HP ProLiant DL380p provides an unprecedented amount of 
processing power in a very compact package. It carries forward all 
the HP management features that you've come to expect, such as 
the Integrated Lights-Out (iLO) management system, but it also 
includes a number of new features designed to make it easier to set 
up and manage, including the new tool-less case design, Flexible- 
LOM technology, and Active Health System. Representing the 
latest in rack-mounted server technology, the HP ProLiant DL380p 
received an extremely positive review from our own Michael Otey in 
our October 2012 issue. 


Community Choice 

Gold: PowerEdge Series 
Dell 

Silver: HP ProLiant 

HP 

Bronze: Cisco Unified Computing System (UCS) 

Cisco Systems 

Other Hot Products in This Year's Community Choice Survey 

HP BladeSystem 
IBM System x 
Intel Xeon 

WWW.WINDOWSITPRO.COM 


Best Hardware: Workstation 

Editors' Best 

Gold: HP Pavilion HPEh9 
HP 

Silver: Dell XPS 8500 
Dell 

Bronze: ThinkStation D30 

Lenovo 

Why It Won 

The HP Pavilion HPE h9 is a powerful but affordable Core i7 quad- 
core desktop that's capable of functioning as an administrative, 
development, graphics, or virtualization platform. The system 
supports up to 32GB of Double Data Rate 3 (DDR3) RAM and can 
be equipped with optional 256GB solid state disk (SSD) drives. A 
built-in liquid cooling system keeps the system very quiet. This is 
a solid, well-balanced workstation that can handle just about any 
productivity need. 


Community Choke 

Gold: OptiPlex 
Dell 

Silver: ThinkCentre 

Lenovo 

Bronze: HP Pavilion 

HP 


"If there's one desktop for business, Dell OptiPlex is the 
answer." 


Other Hot Products in This Year's Community Choice Survey 

Dell Precision workstations 
HPZ800 workstations 



Most Encouraging IT Trends 

1. 

Cloud computing 

6. 

Consumerization of IT 

2. 

Bring Your Own Device (BYOD) 

7. 

Virtualization 

3. 

Technology Business Management 8. 

Improved security 

4. 

Virtual Device Interface (VDI) 

9. 

Hiring is up 

5. 

Insourcing 

10. 

Solid state disks (SSDs) 
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Best Hardware: Portable Computer 


Best Hardware: Storage 


Editors'Best 

Gold: ThinkPad XI Carbon 
Lenovo 

Silver: Series 9 

Samsung 

Bronze: ASUS Zenbook UX31 
ASUS 



Editors'Best 

Gold: Hyper ISE 

X-IO 

Silver: VNX Family 

EMC 

Bronze: FAS220Q Series 
NetApp 



Why It Won 

This is a tough time to review portable computers because Windows 8 
and a new generation of innovative new form factors are on the way. 
But in what will surely be the last Editors' Best category that doesn't 
include tablets, convertibles, and other hybrid PCs, the final genera¬ 
tion of ultrabook PCs that lack multi-touch capabilities is the best 
yet. And if you accept that ultrabooks are the top of the heap when 
it comes to Windows 7-based portable computers, it should come 
as no surprise that the single best machine in this market segment, 
bar none, is the ThinkPad. Weighing less than 3 pounds, Lenovo's 
ThinkPad XI Carbon offers superior portability while offering more 
than 7 hours of battery life in real-world use, integrated broadband 
wireless capability, and a high-resolution 1600 x 900 display. But 
what puts it over the top is the ThinkPad typing experience. You'll 
never find a better keyboard than those offered by Lenovo. Although 
the XI Carbon's thinness does mean a bit of key travel loss compared 
with other ThinkPads, this machine stands alone in the Ultrabook 
category. The only thing that ThinkPad is lacking is a 15" version. For 
that, you need to turn to Samsung, whose 15" Series 9 machine is an 
excellent compromise. 


Community Choice 

Gold: Latitude 
Dell 

Silver: ThinkPad 

Lenovo 

Bronze: MacBook Pro 
Apple 

Other Hot Products in This Year's Community Choice Survey 

HP EliteBook Notebook PCs 
Apple MacBook Air 


Why It Won 

X-10 has been on the radar of Windows IT Pro for a couple years now, 
when the company took surprising honors in the 2011 Best of Micro¬ 
soft TechEd awards. (X-10 went on to capture two high-profile awards 
at the 2012 show.) Since then, X-10's signature powerhouse, the Hyper 
ISE, has taken great strides in the storage realm. This is a performance- 
driven storage system that fuses together solid state disks (SSDs) and 
hard disk drives (HDDs) into a single pool of capacity managed by Con¬ 
tinuous Adaptive Data Placement (CADP), the component that elevates 
this solution into the stratosphere, providing real-time provisioning of 
workloads to the right disk resources. The performance numbers of the 
X-10 Hyper ISE continue to skyrocket, blowing away the competition in 
all kinds of real-world data-intensive applications and environments. 
This is a system that provides SSD performance at HDD prices, and it's 
outperforming storage systems that are far more expensive. 


Community Choice 

Gold: VNX Family 

EMC 

Silver: FAS2200 Series 

NetApp 

Bronze: EqualLoqic 

Dell 


"Why buy one VNX 5500 when you can spend twice as 
much and get two?" 

Other Hot Products in This Year's Community Choice Survey 

Dell Compellent 
HP EVA Storage 
Seagate Hard Drives 
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Best Hardware: Networking 
Editors'Best 

Gold: BIG-IP Local Traffic Manager (LTM) 

F5 Networks 

Silver: NetScaler Application Delivery Controller 

Citrix Systems 

Bronze: Arista 7500 Series 
Arista Networks 

Why It Won 

Here at Windows IT Pro , we've watched F5 Networks evolve from an 
eager, young load-balancing business into the powerhouse market 
leader that it is today. The company's flagship product, BIG-IP LTM, 
increases your operational efficiency and ensures peak network 
performance by providing a flexible, high-performance application 
delivery system. With its application-centric perspective, BIG-IP 
LTM optimizes your network infrastructure to deliver availability, 
security, and performance for critical business applications. Putting 
this system over the top is its easy-to-use management interface, 
ideal for today's general-purpose IT pro. 



Community Choice 

Gold: Cisco Catalyst 6500 Series Switches 
Cisco Systems 

Silver: HP ProCurve Switches 
HP 

Bronze: SRX Series Services Gateways 
Juniper Networks 



"Cisco Catalyst = gold standard 

Other Hot Products in This Year's Community Choice Survey 

Cisco Nexus Series Switches 

Citrix Systems NetScaler Application Delivery Controller 
F5 Networks BIG-IP LTM 


Editors' Best and Community Choice Awards 


Best Hardware: Appliance 

Editors' Best 

Gold: HP VirtualSystem 
HP 

Silver: FalconStor NSS VS Series HA Appliance 

FalconStor Software 

Bronze: Greenplum Data Computing Appliance 

EMC 


Why It Won 

The HP VirtualSystem appliance removes the 
complexity of implementing high-performance 
and scalable virtualization in the enterprise. 

This preconfigured appliance has been expressly 
designed by HP and Microsoft to speed up the 
deployment of high-performance virtualization 
platforms. The preconfigured server, networking, 
and storage subsystems remove the trial-and- 
error guesswork involved in designing highly 
scalable virtualization servers. 



Community Choice 

Gold: Dell KACE K1000 Systems Management Appliance 
DellKACE 

Silver: Barracuda Spam & Virus Firewall 

Barracuda Networks 

Bronze: BIG-IP Product Suite 

F5 Networks 


"The KACE K1000 saves me time every day!" 

Other Hot Products in This Year's Community Choice Survey 

Dell SonicWALL Network Security Appliance (NSA) Series 
Symantec NetBackup Appliance 
Riverbed Technology Steelhead Family 
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Best High Availability Product 

Editors'Best 

Gold: CAARCserve High Availability 
CA Technologies 

Silver: LoadMaster 5300 
KEMP Technologies 

Bronze: Double-Take Availability 

Vision Solutions 

Why It Won 

CA ARCserve High Availability is a top-notch solution that protects 
all aspects of the Windows environment, including system state, 
applications, and data. The environment is protected through 
physical-to-virtual and virtual-to-virtual replication and failover to 
a Microsoft Hyper-V, VMware ESX, VMware vSphere, or Citrix Xen- 
Server replica server. Offering seamless and automatic failover and 
fallback, CA ARCserve High Availability provides high availability for 
your most critical applications, including Microsoft Exchange Server, 
SQL Server, and SharePoint, as well as your other business-specific 
applications. Knowing that a single interruption or loss can mean 
irreparable damage to your business, there's no more stress- 
reducing product you could add to your environment. 


Community Choice 

Gold: VMware vCenter Site Recovery Manager 

VMware 

Silver: Veeam Backup & Replication 

Veeam Software 

Bronze: DocAve High Availability for Microsoft SharePoint 
AvePoint 

@ vmware 


"VMware Site Recovery Manager is the best, because 
when you need this type of product, there's no room for 
errors, wasted time, or corrupted VMs." 

Other Hot Products in This Year's Community Choice Survey 

Symantec System Recovery (formerly Backup Exec System Recovery) 
NetlQ PlateSpin Forge 


Best Interoperability Product 
Editors' Best 

Gold: Kelverion Integ ration Packs for System Center 2012 

Kelverion 

Silver: Centrify Suite 

Centrify 

Bronze: ExtremeZ-IP 

GroupLogic 

Why It Won 

Kelverion's Integration Packs for System Center 2012 extend the 
integration and automation capabilities of Microsoft System Center 
2012 and System Center 2012 Orchestrator to other major systems, 
improving IT efficiency. Today, many organizations have difficulty 
dealing with the IT silos created by using multiple management 
systems for multiple IT services. Integrating the data from these 
management systems can make the difference between an ineffi¬ 
cient IT department and one that runs smoothly—and that's where 
Kelverion's Integration Packs come in. IT expert and Windows IT Pro 
author John Savill says, "System Center Orchestrator provides not 
only an integration and automation foundation for System Center 
2012 but also the entire data center. With the Integration Packs from 
Kelverion, that integration story becomes so much more power¬ 
ful, making Orchestrator and System Center 2012 that much more 
useful." Interestingly, Kelverion was founded by former employees of 
Opalis, which was acquired by Microsoft and became Orchestrator. 


Community Choice 

Gold: RealVNC 
RealVNC 

Silver: Centrify Suite 

Centrify 

Bronze: ExtremeZ-IP 

GroupLogic 


"RealVNC made me fat! I don't need to move anymore!" 

Other Hot Products in This Year's Community Choice Survey 

Paragon Software Group NTFS for Mac OS X10 
Binary Tree CMT for Coexistence 


ca 

technologies 




Kelverion 
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Editors'Best and Community Choice Awards 


Best Management Suite 
Editors'Best 

Gold: Altiris IT Management Suite 

Symantec 

Silver: SolarWinds 

SolarWinds 

Bronze: Desktop Authority Dell 

(formerly Quest Software) 

Why It Won 

Symantec's Altiris IT Management Suite gives you the framework 
you need to simplify monitoring and management of your IT envi¬ 
ronment for both client and server systems. It works across multiple 
platforms—Windows, Mac OS, Linux, and virtual environments— 
and provides you with real-time data about your systems, helping 
you to make the best decisions. The suite includes provisioning and 
software rollout, license management, and patch management. 
With add-ons, you can also incorporate mobile management and 
Help desk services. It's a complete, cost-effective lifecycle manage¬ 
ment solution. 


Community Choice 

Gold: VMware vCenter Operations Management Suite 

VMware 

Silver: Spiceworks MyWay 

Spiceworks vmware* 

Bronze: SolarWinds 

SolarWinds 


"VMware Ops Manager gives you a clear view into your 
environment." 

Other Hot Products in This Year's Community Choice Survey 

NetWrix Enterprise Management Suite 

AxcelerControlPoint 

NetlQ AppManager 


Best Messaging Product 

Editors' Best 

Gold: Mail Disclaimers 

Exclaimer 

Silver: Mailscape 

ENow 

Bronze: NetWrix Exchange Change Reporter 

NetWrix 

Why It Won 

Sometimes the seemingly simple things prove to be truly impres¬ 
sive. Such is the case with Exclaimer Mail Disclaimers. The product's 
basic premise is that it gives an organization control over email 
signatures and disclaimers that are applied to every message sent 
through Microsoft Exchange Server. However, when you take a 
closer look, you'll see that Mail Disclaimers lets you take control of 
company branding in a broad sense. Using rules-based logic, you 
can apply different messaging to different types of messages, such 
as internal versus external sends. Various groups in your organi¬ 
zation, based on Active Directory (AD), can also be set up with 
individualized signatures to promote their own projects. You can 
even set a date range on specific templates to indicate when they 
should be applied. The list of features goes on. Exclaimer has put a 
lot of good work into this product over the years, and any organiza¬ 
tion could benefit from checking it out. 


Community Choice 

Gold: Skype—Business Version 
Skype 

Silver: Barracuda Spam & Virus Firewall 

Barracuda Networks 

Bronze: Lotus Domino 

IBM 


"Believe the hype—Skype!" 

Other Hot Products in This Year's Community Choice Survey 

Symantec Messaging Gateway 
NetWrix Exchange Change Reporter 


Symantec. 
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Best Microsoft Product 


Microsoft 


Editors'Best 

Gold: Windows Server 2012 
Microsoft 

Silver: Hyper-V Server 2012 

Microsoft 

Bronze: Windows 7 

Microsoft 


Why It Won 

Windows Server 2012 is a stellar achievement. It will take most 
IT pros months to fully analyze the many capabilities of the 
product and how those features will benefit their businesses. 

For enterprises, Server 2012 has greatly increased scalability and 
multiple-server management over its predecessor, and Hyper-V's 
power and flexibility is now on a par with that of any competitor. 
But an especially pleasant surprise is that the product is appealing 
for small-to-midsized businesses (SMBs). It removes the high-cost 
barrier to shared storage, storage virtualization, and production¬ 
worthy virtualization. In addition, Server 2012 includes capabilities 
that IT pros have requested for years, such as IP address manage¬ 
ment. Practically every IT shop will find something in Server 2012 
that's to its liking. 


Community Choice 

Gold: Windows 7 
Microsoft 

Silver: Office Professional 2010 

Microsoft 

Bronze: Exchange Server 

Microsoft 


ss 

Windows V 


"Hands down, Windows 7 is the best Microsoft OS so far!" 

Other Hot Products in This Year's Community Choice Survey 

Windows Server 2012 
SharePoint 2010 
Hyper-V Server 2012 


Best Mobile and Wireless Product 


S3lfnet 

Mte Manage Mobility 


Editors' Best 

Gold: MobiControl 

SOTI 

Silver: Managed Mobile Device Management Services 

Azaleos 

Bronze: Avalanche 

Wavelink 

Why It Won 

The days when an organization could issue a single model of mobile 
device to all eligible employees are long past; with Bring Your Own 
Device (BY0D), employees at all levels want to connect to corporate 
resources using not only their own phones but also their own 
tablets. SOTI MobiControl is a mobile device management (MDM) 
product that helps IT departments take control of mobile devices 
in a BY0D world. Optimized for both Apple iOS and Google Android 
devices, MobiControl provides provisioning and asset-management 
capabilities. It also provides Help desk services with remote control, 
alerts, reporting, and location services for tracking devices. Plus, 
MobiControl features Windows Desktop Lockdown to limit the 
interface available to users on Windows machines to just the subset 
of features you want users to have available—a useful feature for 
kiosk locations or situations where security could be a concern. 


• 11 * • ■ 11 • 
CISCO. 


Community Choice 

Gold: Cisco Wireless Control System 

Cisco Systems 

Silver: SolarWinds Mobile Admin 

SolarWinds 

Bronze: Mobile Management for Configuration Manager 

Symantec 

"Cisco covers all your BYOD needs—with security!" 

Other Hot Products in This Year's Community Choice Survey 

Lenovo ThinkVantage Access Connections 
Mobilelron Mobile Device Management 
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Editors'Best and Community Choice Awards 


Best Network Management Product 


Best Patch Management Product 


Editors'Best 


Gold: Network Performance Monitor 
SolarWinds 


Silver: WhatslipGold 

Ipswitch 


solarwmds < 


Bronze: EventSentry 

NETIKUS.NET 


Editors'Best 


Gold: Dell KACE K1000 Systems Management Appliance 
DellKACE 


Silver: GFI LanGuard 

GFI Software 



Bronze: LogMeln Central 

LogMeln 


Why It Won 

A finalist in the Best of TechEd award program this year, Solar- 
Winds Network Performance Monitor (now in version 10.3) gives 
you the ability to quickly detect, diagnose, and resolve network 
performance problems. It also provides excellent real-time views 
and dashboards for visually tracking network performance. One of 
the core strengths of Network Performance Monitor is its dynamic 
network topology maps, which let you easily stay on top of your 
growing network, thanks to the product's network auto-discovery 
capabilities. Introduced into Network Performance Monitor at 
version 10.1 is the ability to easily and affordably scale the product's 
network management to data center networks of all sizes. Of 
particular note is the product's continued focus on "paying for what 
you need."This is an extremely scalable solution that prides itself on 
its affordability at all levels, from the small office to the enterprise. 

It is also a very approachable solution, bringing ease of use and an 
intuitive Ul to a sometimes-onerous task. 


Community Choice 

Gold: Network Performance Monitor 
SolarWinds 

Silver: Spiceworks MyWay 

Spiceworks 

Bronze: LogMeln Central 

LogMeln 


"SolarWinds rules!" 

Other Hot Products in This Year's Community Choice Survey 

Dell Foglight Network Management System (formerly Quest Software) 
Splunk Enterprise 


Why It Won 

Patch management is a perennial and unloved task in IT. Having the 
right tool to help you manage the process can save time and money 
for your organization. The Dell KACE K1000 Systems Management 
Appliance provides patch management based on Lumension's 
endpoint management and security solution, delivered in an appli¬ 
ance with a web-based interface that gives you control of scheduling 
as well as the ability to choose which machines in your environment 
receive which updates. The K1000 works with both Windows and Mac 
OSs, as well as application updates from Adobe, Symantec, and other 
leading vendors. It also includes advanced features for mobile user 
management and robust tracking and reporting abilities, making the 
K1000 a top choice to serve your patch-management needs. 


Community Choice 

Gold: VMware vCenter Protect 

VMware _ 

Silver: Patch Manager vmware 

SolarWinds 

Bronze: Dell KACE K1000 Systems Management Appliance 
DellKACE 


"VMware vCenter Protect keeps you informed and 
allows you to be on one level of patches." 

Other Hot Products in This Year's Community Choice Survey 

Symantic Altiris Client Management Suite 
NetlQ Secure Configuration Manager 
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Best Scripting Tool 


Editors'Best 

Gold: PowerShell Plus 

Idem 

Silver: PrimalScript 

SAPIEN Technologies 

Bronze: PowerGUI Pro 

Dell (formerly Quest Software) 


iclen=) 
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Why It Won 

PowerShell expertise is a desirable skill for today's IT pros. By prop¬ 
erly leveraging PowerShell, systems administrators can do their 
jobs better by having a definitive understanding of the technology 
that they're administering, which helps make troubleshooting and 
planning easier. Idera's PowerShell Plus brings something to the 
table for everyone. If you're beginning to learn PowerShell, Power- 
Shell Plus' Interactive Learning Center is an excellent resource that 
includes Help topics for all of your installed Windows PowerShell 
providers, cmdlets, snap-ins, and more. The integrated develop¬ 
ment environment (IDE) also includes several features to make 
writing cmdlets easier and faster, such as auto-code completion, 
debugging capabilities, and access to hundreds of preloaded scripts 
from Idera's QuickClick library. 


Community Choice 

Gold: PowerGUI Pro 

Dell (formerly Quest Software) 

Silver: PowerShell Studio 

SAPIEN Technologies 

Bronze: FastTrack Scripting Host 

FastTrack Software 



"PowerGUI Pro kills the ugly CLI ofthe'80sand allows 
you to work in this century with style and grace and 
speed." 

Other Hot Products in This Year's Community Choice Survey 

Idera PowerShell Plus 

Specops Software Specops Command 


Best Security Product 

Editors' Best 

Gold: Splunk Enterprise 
Splunk 

Silver: Log & Event Manager 

SolarWinds 

Bronze: Retina CS Management 
eEye Digital Security 

Why It Won 

Splunk is the kitchen sink of machine data analytics. It soaks up 
every kind of data you can throw at it, then turns that data into 
actionable intelligence—not just security intelligence but also 
troubleshooting, performance, and business intelligence. Splunk's 
particular security strengths lie in analyzing the everyday patterns 
of log data (such as logons/logoffs, process launch, and network 
resource access) to look for anomalies that might signal an intru¬ 
sion. In a time of advanced persistent threats and the maxim that 
"everyone has been hacked, they just might not know it,"this type 
of tool should be a standard component in every company's IT 
infrastructure. 



Community Choice 

Gold: Symantec Endpoint Protection 
Symantec 

Silver: Malwarebytes 

Malwarebytes 

Bronze: DocAve Administrator 
AvePoint 


^ Symantec. 


"Symantec Endpoint Protection is the gatekeeper to my 
network!" 

Other Hot Products in This Year's Community Choice Survey 

NetlQ Sentinel 

Cisco Secure Access Control Server (ACS) 

Centrify Suite 
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Best SharePoint Product 


Editors'Best 

Gold: HiSoftware Security Sheriff SP2010 

HiSoftware 

Silver: SharePlus 

Infragsitics 

Bronze: VisuaISP 

SharePoint- Videos, com 




Why It Won 

HiSoftware Security Sheriff SP2010 offers the most complete solution 
we've seen for securing SharePoint, while still enabling end users to 
easily share content and collaborate. Whereas some solutions secure 
content based on metadata and other solutions secure data via 
encryption, Security Sheriff does both. Instead of a"bucket"approach 
to classifying content, Security Sheriff works with metadata, offering 
you a more nuanced way to classify or declassify documents. It also 
lets you restrict access to an individual or specific group, even if others 
have access to the place where the content resides, which is important 
in the project-based world that businesses inhabit these days. In addi¬ 
tion to securing a document based on its metadata, Security Sheriff 
can identify sensitive data and immediately encrypt it, so that users 
can't access it without the proper credentials, even if they have admin 
privileges. This also means that any documents that leave SharePoint 
can be accessed only by credentialed users. 


Community Choice 

Gold: DocAve 
AvePoint 

Silver: NetWrix SharePoint Change Reporter 

NetWrix 

Bronze: ControlPoint 

Axceler 


A AvePoint* 

DocAve 


"DocAve is the only platform in the industry to look at 
the SharePoint platform holistically to actually fix and 
prevent problems, not just treat the symptoms." 

Other Hot Products in This Year's Community Choice Survey 

Dell Site Administrator for SharePoint (formerly Quest Software) 

EMC Storage Integrator (ESI) 


Editors'Best and Community Choice Awards 

Best System Utility 

Editors' Best 

Gold: Diskeeper 

Condusiv Technologies 

Silver: Service Account Manager 

Ueberman Software 

Bronze: activEcho 

GroupLogic 

Why It Won 

Diskeeper does what it says it will do. It addresses file system frag¬ 
mentation with a variety of excellent features while running unob¬ 
trusively in the background, which is why it's a perennial favorite 
among IT pros. It not only resolves file system fragmentation but 
also prevents it. Its processing technology uses idle resources for 
background optimization routines, and it can identify and eliminate 
fragmentation that affects system performance. The latest version 
includes Volume Shadow Copy Service (VSS) Compatibility mode 
(which minimizes growth of the VSS storage area and prevents 
older VSS files from being purged), a new Ul, and HyperFast 
technology (which speeds up performance in solid state disks— 
SSDs). Diskeeper can position frequently accessed data in the most 
optimal place, can rapidly defragment volumes with hundreds of 
thousands of files, and supports native IPv6 networks. Settings can 
be controlled through Group Policy and a central admin console. 


Community Choice 

Gold: Dell OpenManage Systems Management 
Dell 

Silver: CCleaner 

Piriform 

Bronze: Beyond Compare 

Scooter Software 



"Dell OpenManage makes the impossible easy!" 

Other Hot Products in This Year's Community Choice Survey 

Automation Anywhere Server 
Paragon Alignment Tool (PAT) 
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Best Systems Monitoring Product 

Editors'Best 

“gsattfis ^WhatsUpGold 

Silver: Server & Application Monitor 

SolarWinds 

Bronze: Splunk Enterprise 

Splunk 

Why It Won 

Ipswitch WhatsUp Gold is a flexible solution that uses both active 
and passive monitoring to provide IT pros with effective network 
management. Recommended by real-world systems engineers who 
use it daily, WhatsUp Gold lets you monitor your network from the 
inside out, from a single console with information at the ready, so 
you can correlate events quickly. It tracks the status and health of 
network devices, offering early alerts and listening for SNMP traps 
and syslog messages from devices in an infrastructure. Hierarchical 
maps provide a Layer 3 view of a network, including a complete 
representation of the real network and application environment. Its 
Alert Center offers a single integrated dashboard that quickly reveals 
alerts, notifications, and alert acknowledgements for easy configura¬ 
tion and management. Configurable dashboards display health and 
performance reports and offer the ability to customize reports. 


Community Choice 

Gold: Spiceworks MyWay 
Spiceworks 

Silver: Server & Application Monitor 

SolarWinds 

Bronze: NetlQ AppManager 
NetlQ 

SPICEWORKS 

IT'S EVERYTHING IT 


"Spiceworks: For IT people by IT people." 

Other Hot Products in This Year's Community Choice Survey 

HP Operations Manager 
NetWrix Service Monitor 


Best Task Automation Product 
Editors' Best 

Network Automation AutoMate 9 

Silver: Automation Anywhere 

Automation Anywhere 

Bronze: NetlQ Aegis 
NetlQ 

Why It Won 

An increasingly relevant strategy for IT pros is automating business 
processes so that they can perform tasks faster. Network Automa¬ 
tion has continued its proven track record for providing an easy 
and intuitive way to automate business processes. The great thing 
about AutoMate is that it doesn't require any scripting knowledge 
to develop automation applications through its intuitive drag-and- 
drop interface. Most important, the latest version of AutoMate 
includes virtual and cloud-based SharePoint automation, comput¬ 
ing environments, and enhanced web-app interaction, which 
further helps IT pros streamline IT processes. 


Community Choice 

Gold: NetlQ Aegis 
NetlQ 


j) NetlQ 


Silver: DocAve Governance Automation 
for Microsoft SharePoint 2010 
AvePoint 


Bronze: Automation Anywhere 

Automation Anywhere 


"NetlQ Aegis automated so many mundane tasks that I 
can actually do the job I was hired to do!" 

Other Hot Products in This Year's Community Choice Survey 

Network Automation AutoMate 

MVP Systems Software JAMS Job Scheduler 
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Editors'Best and Community Choice Awards 


Best Training Product or Service 


Best Virtualization Product 


Editors'Best 

Gold: Critical Path Training 

Critical Path Training 

Silver: Big Nerd Ranch 

Big Nerd Ranch 

Bronze: BRI Training 

Binary Research International 


Critical 


Editors' Best 

Gold: VMware vSphere 

VMware 


Veeam Software 


vmware 


Silver: XenDesktop 

Citrix Systems 

Bronze: Veeam ONE for VMware and Hyper-V 


Why It Won 

Critical Path Training employs Microsoft MVPs and recognized 
SharePoint experts, not trainers who have been told to "learn the 
subject area "They're well-known speakers and authors who are 
experienced at explaining concepts and demonstrating techniques. 
This training company offers courses on SharePoint 2013 and Share- 
Point 2010 for administrators, developers, and power users. It offers 
the courses in a variety of formats, including hands-on classes in 
10 professional training facilities around the United States, online 
workshops, and private onsite classes. Significantly, Microsoft 
recently hired Critical Path Training to create and deliver a hands-on 
developer training course for SharePoint 2013 developers. 


Community Choice 

Gold: Spiceworks University 
Spiceworks 

Silver: GoToTraining 

Citrix Systems 

Bronze: TrainSignal Computer Training 

TrainSignal 

Other Hot Products or Services in This Year's 
Community Choice Survey 

Symantec Education Services 
Transcender TranscenderCert practice exams 



Why It Won 

VMware vSphere remains the clear leader in the enterprise 
virtualization space. The newest 5.1 release features an all-new 
flash-based web client for virtualization management. In addition, 
virtual machines (VMs) are now scalable to 64 virtual CPUs (vCPUs) 
and 1TB of RAM, making room for future application growth. 
vSphere 5.1 includes vSphere Replication for disaster recovery. The 
new support for shared-nothing vMotion brings vMotion support to 
organizations that don't have a SAN. 


Community Choice 

Gold: VMware vSphere 

VMware 

Silver: XenServer 

Citrix Systems 


vmware 


Bronze: NetWrix VMware Change Reporter 

NetWrix 


Other Hot Products in This Year's Community Choice Survey 

VMware vSphere Hypervisor (formerly VMware ESXi) 

Veeam Backup & Replication 
Symantec Endpoint Virtualization Suite 




Least Encouraging IT Trends 

1 . 

Cloud computing 


6. 

Current wages 

2. 

Bring Your Own Device (BYOD) 


7. 

Decreasing employee count, more work required 

3. 

Continued outsourcing/offshoring 


8 . 

Belief in tablets as the savior of business 

4. 

Lawsuits stifling innovation 


9. 

"Scare budgets"—forcing "freemium" or low-cost solutions 

5. 

Heavy-handed IT micromanagement of mobile devices 


to solve enterprise needs 




10. 

Neglecting security in the cloud 
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Cover Story 


Best Free Tool 

Editors'Best 

Gold: Twitter 

Twitter 

Silver: Splunk 

Splunk 

Bronze: Foglight Network Management System 

Dell (formerly Quest Software) 

Why It Won 

You might love it, you might hate it—but you can't ignore it. 
Twitter has become ubiquitous. To get the most out of Twitter, you 
probably need a client to manage your content, but the good news 
is that these clients are also free. Twitter can put you in touch with 
experts in any field, providing quick answers to nagging problems 
in your environment—as good as any knowledge base out there. 
More than that, it connects you to your technical community. IT 
pros don't always have the opportunity to meet and share ideas 
with others in the field, so Twitter provides a virtual medium that's 
always on to link you with colleagues around the globe. 


Community Choice 

Gold: Spiceworks SPICBW^RKS 

Spiceworks IT'S EVERYTHING IT 

Silver: 7-Zip 
Igor Pavlov 

Bronze: Notepad++ 

Don Ho 


Best Vendor Tech Support 

Community Choice 

Gold: Microsoft 

Silver: Cisco Systems 25 Microsoft 

Bronze: Spiceworks 

Other Hot Vendors in This Year's Community Choice Survey 

NetlQ 

Dell 

Veeam Software 


Favorite IT Websites 

1. TechNet 

2. Google 

3. ITNinia 

4. The Reg ister 

5. Spiceworks 

6. Experts Exchange 

7. Engadget 

8. Microsoft Support 

9. Tech Republic 
10 . WMmiJIM 


InstantDoc ID 144460 



"Two words that go great together are Spiceworks and 
free. Free software, free support—why wouldn't you 
use it?" 

Other Hot Products in This Year's Community Choice Survey 

Google Apps for Business 
Mozilla Firefox 
AVG Free 
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DECEMBER 2012 


_The Essential Guide to_ 

New Virtualization Capabilities in 
Fibre Channel Environments 


O rganizations have adopted, or are 
adopting, virtualization as the stan¬ 
dard platform for server operating sys¬ 
tems. However, certain types of systems - often 
Tier-1 applications - have remained “bare-met- 
al” bound due to requirements for performance, 
redundancy and High Availability which could 
not previously be met because of limitations in 
both scalability and functionality of virtualiza¬ 
tion solutions. Windows Server 2012, Hyper-V 
brings significant advancements in its hypervi¬ 
sor solution enabling virtualization of almost 
any server application scenario and an ideal 
platform for all application tiers. This essential 
guide focuses on these new scenarios and the 
capabilities that enable them. 

New levels of scalability and mobility 

Windows Server 2008 R2 had a rich hyper¬ 
visor that supported many types of work¬ 
loads but the resources that could be made 


available to virtual machines were fairly 
constrained, namely: 

• 4 virtual processors 

• 64GB of memory 

• 2TB virtual hard disk format (although 
multiple could be assigned to a single 
virtual machine) 

• 16 hosts in a highly available cluster 
which was the boundary for migration 
of virtual machines without downtime 

Windows Server 2012 enables far greater 
scalability for virtual machines, enabling 
practically any workload to be virtualized 
from a resources perspective. Key met¬ 
rics for Windows Server 2012 virtual ma¬ 
chines are: 

• 64 virtual processors 

• 1TB of memory 
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• 64TB virtual hard disks using the new 
VHDX format 

• 64 hosts in a highly available cluster 
which is no longer a boundary for zero¬ 
downtime migration of virtual machines 

Large resources for a virtual machine is 
one dimension of enabling new types of 
loads to run in virtualized environments 
but the key detail is that those large-scale 
applications can use resources efficiently. 
When virtual machines start using a lot of 
virtual processors and memory, the physi¬ 
cal topology of the physical server mat¬ 
ters—specifically, the connectivity between 
the processor and the memory. Non Uni¬ 
form Memory Access (NUMA) controls the 
coupling between processors and memory 
locally attached to the processor, a NUMA 
node. Best performance comes when pro¬ 
cesses are running on processor cores and 
using memory local to the NUMA node 
and these applications that understand are 
NUMA aware. In a virtual world the physi¬ 
cal hardware is abstracted from the virtual 
machine. However, for the applications run¬ 
ning in the virtual machines to run at maxi¬ 
mum efficiency and performance Windows 
Server 2012 passes the NUMA topology to 
the virtual machine, allowing NUMA-aware 
applications to make the right decisions. 
When 64 NUMA-aware virtual processors 
and 1TB of memory are combined from 


a processor and memory perspective the 
boundaries on what can be virtualized are 
removed. 

Network connectivity can often be chal¬ 
lenging for virtual environments in a num¬ 
ber of ways. Different virtual machines 
need different connectivity to different net¬ 
works and potentially guaranteed amounts 
of bandwidth, which have in the past re¬ 
quired many physical network connections 
from the virtualization host that were or¬ 
dinarily not highly used, thus wasting re¬ 
sources and bandwidth. Windows Server 
2012 introduces support for both hardware 
and software Quality of Service (QoS), 
which enables individual virtual machines 
to be guaranteed certain levels of band¬ 
width available—and with hardware QoS 
guaranteeing bandwidth for different types 
of traffic. For environments that require 
isolation between tenants and flexibility to 
move virtual machines between datacen¬ 
ters—and even between on-premise and 
off-premise hosting, such as public cloud 
Infrastructure as a Service (IaaS)—Win¬ 
dows Server 2012 provides network virtu¬ 
alization, abstracting the network seen by 
the virtual machines from the actual physi¬ 
cal network fabric. 

Virtualization breaks the bonds between 
the virtual environment and the physical 
fabric, be it computer, network, or storage. 
And Windows Server 2012 provides new 
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levels of mobility to virtual machines. First, 
the number of hosts in a Failover Cluster 
has increased from 16 to 64 and enables 
multiple concurrent live migrations. Live 
migration lets you move a virtual machine 
between hosts with no down-time or break 
in connectivity to the guest operating sys¬ 
tem running within the virtual machine. 
Windows Server 2012 introduces a live 
storage move capability that allows the 
storage of a virtual machine to be moved 
between any supported storage medium 
such as SAN, direct-attached, or SMB 3.0 
with no down time to the virtual machine. 
Live migration and the live storage move 
capability are combined to provide Shared 
Nothing Live Migration, which lets you 
move a virtual machine between any two 
Windows Server 2012 Hyper-V hosts that 
don’t need to be part of a cluster or need to 
share any storage, a cost-effective solution 
for non-critical applications. 

Leveraging Fibre Channel storage 
natively in a virtual machine 

Shared storage provided by Storage Area 
Networks (SAN) has long been leveraged 
by many types of services, and especially 
virtualization for consolidated, high-quality 
and easy-to-manage storage. Using a SAN 
is even more beneficial in Windows Serv¬ 
er 2012 with the introduction of Offloaded 
Data Transfer (ODX). In normal SAN data 


move or copy operations the host connect¬ 
ed to the SAN reads the data into its buffer 
then writes it out. This read/write opera¬ 
tion consumes a lot of host resources and 
slows down the data operation. ODX allows 
the host to ask the SAN to perform the data 
move or copy on behalf of the host, remov¬ 
ing all resource utilization on the host and 
reducing the time of operations from min¬ 
utes to seconds. This feature is especially 
beneficial when provisioning new virtual 
environments from templates. 

Virtualization hosts used SAN storage for 
storing virtual machine configuration data 
and virtual hard disks, and each host would 
have its own set of assigned LUNs for virtual 
machines on that host. But this limited mo¬ 
bility of virtual machines within a cluster. 
Windows Server 2008 R2 introduced Clus¬ 
ter Shared Volumes (CSV), which allowed a 
LUN to be concurrently used by every node 
in the cluster, removing the need to move 
LUNs between hosts as the VM moved. In 
Windows Server 2012, CSV has been im¬ 
proved to support BitLocker volume level 
encryption and NTFS has improved error 
resolution. However, the use of SANs still 
focused on the host, which then passes to 
a VM via virtual hard disks. 

The new Virtual Hard Disk X (VHDX) for¬ 
mat provides a set of increased functional¬ 
ity to meet the requirements for scalability, 
manageability and performance for virtual- 
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ized applications - such as very large vol¬ 
umes - with a new 64TB size limit, up from 
the previous 2TB limit. Previously, pass¬ 
through storage would be used when vir¬ 
tual machines needed access to very large 
volumes, which is a capability that allows 
storage attached to a host to be directly ac¬ 
cessed by a specific virtual machine. The 
use of pass-through storage introduced in¬ 
hibited functionality for virtual machines 
such as the ability to perform snapshots 
of virtual machines and migration of the 
virtual machine between hosts because 
only a specific host had connectivity to 
the storage. 

Even with a VHDX file it is not pos¬ 
sible to share a VHDX file among multi¬ 
ple virtual machines, even on the virtual 
SCSI bus which blocks certain types of 
guest scenarios. The only solution avail¬ 
able had been to use the operating sys¬ 
tem’s built-in iSCSI initiator and connect 
to storage via iSCSI. The use of iSCSI is 
challenging, however, because many or¬ 
ganizations leverage Fibre Channel (FC) 
as the protocol of choice for Tier 1 criti¬ 
cal applications because of its superior 
reliability, scalability and performance, 
and therefore have existing FC infrastruc¬ 
tures in place that should be leveraged 
for virtualized applications. Now for the 
first time, Windows Server 2012 enables 
Fibre Channel access directly from guest 


virtual machines with its new Virtual Fi¬ 
bre Channel capability. 

The addition of Virtual Fibre Channel 
opens up a large number of new scenarios 
to environments leveraging Hyper-V and 
FC-connected storage. Virtual machines 
can directly communicate to shared Fibre 
Channel storage, allowing guest cluster¬ 
ing within virtual machines, and enabling 
new enterprise services such as workload 
balancing and highly available SQL and 
Exchange deployments. Virtual machines 
can leverage technologies such as Multi- 
Path 10 to ensure redundant, continuous 
connectivity to FC storage from within a 
virtual machine and features such as Live 
Migration of virtual machines without 
any re-configuration of the FC SAN are 
now possible. These new scenarios are 
explored later in this paper. 

If you’re familiar with virtual switches 
on Hyper-V, you’ll relate to the imple¬ 
mentation of Virtual Fibre Channel. A 
virtual network switch allows a virtual 
switch to be created, which corresponds 
to a physical network adapter giving con¬ 
nectivity to an external network. Virtual 
machines have virtual network adapters 
that are connected to the virtual network 
switch, which then allows the virtual ma¬ 
chine external network connectivity. The 
steps to leverage Virtual Fibre Channel 
are very similar. 
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The Hyper-V hosts must have physical 
connectivity via Fibre Channel to the stor¬ 
age and must be running the Windows 
Server 2012 version of Hyper-V. In accor¬ 
dance with best practice implementations 
of FC SANs, the hosts are connected to 
redundant fabrics for high availability 
which in turn can be leveraged by the 
virtual machines. The drivers for the Fi¬ 
bre Channel host bus adapter (HBA) or 
converged network adapter (CNA) need 
to be installed, if not native to the Win¬ 
dows Server 2012 operating system. The 
Brocade adapter driver which supports 
all Brocades adapter models is part of 
Windows Server 2012, which means no 
additional actions are required to add 
support, simplifying deployment. 

A Virtual Fibre Channel SAN is created 
within the Hyper-V environment, which is 
tied to specific physical port(s) available 
on the host. You create redundant Virtual 
SANs to provide access to the redundant 
physical storage fabrics available. Hereby 
multiple Virtual SANs exist to provide mul¬ 
tiple paths via separate physical switches 
in the redundant fabrics. Each Virtual SAN 
can comprise of one or more physical ports 
and each physical port can only be used by 
one Virtual SAN. It is important to ensure 
all the Hyper-V hosts within a cluster have 
the same connectivity to storage and Vir¬ 
tual SANs, with the same names defined 


thereby enabling virtual machine mobility 
with no loss of storage connectivity when 
moving virtual machines between hosts in 
the cluster. 

Once the Virtual SANs are defined, the 
virtual machine settings need to be updat¬ 
ed to include virtual fibre channel adapt¬ 
ers. You update settings by using the Add 
hardware option and selecting a Fibre 
Channel Adapter. As shown in Figure 1 
below, the configuration of the virtual fi¬ 
bre channel adapter requires the selection 
of the Virtual SAN that the virtual fibre 
channel adapter will connect to. Addition¬ 
ally, as the figure shows, each virtual fibre 
channel adapter has two World Wide Port 
Names (WWPNs) called A and B. Both the 
A and B WWPNs must then be zoned with 
the storage port(s) in the respective fabric 
for access to the storage. As already dis¬ 
cussed in this paper, Hyper-V has the ca¬ 
pability to move virtual machines between 
physical hosts without any downtime to 
the guest operating system. This move of 
a Virtual machine between hosts would 
cause a disconnect because the WWPN 
had to move within the fabric (due to the 
change of PID) but by using two WWPNs 
for a virtual machine, the second WWPN 
is used on the target host as part of the 
migration, avoiding any disruption to stor¬ 
age access for the virtual machine during 
the move. Defining the WWPN at the vir- 
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tual fibre channel adapter for each virtual 
machine ensures storage access security 
through zoning, and as a consequence. 


even the Hyper-V host has no access to 
the storage unless explicitly given. [In ad¬ 
dition, LUN masking must be performed 


WatshVM 


ft Hardware 


■•jDl Add Hardware 
lJL BIOS 

Boot from CD 
EH Memory 
512 MB 

© O Processor 

1 Virtual processor 

B IDE Controller 0 
□ B IDE Controller 1 
© DVD Drive 

None 

gg SCSI Controller 


si I Fibre Channel Adapter 
New Fibre Channel SAN 


© @ Network Adapter 
Not connected 
^ COM 1 
None 
COM 2 
None 

y Diskette Drive 

None 

ft Management 


Settings for WatshVM on WIM-1Q6UBRJ5VVG 


— □ 


[Ij Name 
WatshVM 

Integration Services 
All services offered 
Snapshot File Location 
C: 'ProgramData^Microsoft^Win. 
Smart Paging File Location 
C: V J rogramDataVliciosoft\Win. 
Automatic Start Action 
Restart if previously running 


a 


Fibre Channel Adapter 


You can review and edit the World Wide Names (WWNs) assigned to the Fibre Channel 
adapter,, and connect the adapter to a virtual storage area network (SAN). 

Virtual SAN: 


New Fibre Channel SAN 


Clide Edit Addresses to edit the port addresses. 


Port addresses 

Address set A: 


Edit Addresses 


World Wide Node Name (WWNN): 
World Wide Port Name (WWPN): 

Address setB: 

World Wide Node Name (WWNN); 
World Wide Port Name (WWPN): 


COO 3FF00O0FFFF00 


C003FF.3FBC 1D0004 


COO 3FF00O0FFFF00 


COO 3FF 3FBCIDOOO 5 


Create Addresses 


Clide Copy to copy the addresses to the dipboard. 


To remove the adapter from this virtual machine, did; Remove. 


Copy 


Remove 


A Some settings cannot be modified because the virtual machine was running when 
this window was opened. To modify a setting that is unavailable, shut down the 
virtual machine and then reopen this window. 


OK 


Cancel 


Apply 


Figure 1 - Configuring the Virtual Fibre Channel Adapter 
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on the storage sub system for both port A 
and B on each virtual HBA accessing the 
LUN], Assuming each Hyper-V host has at 
least two Virtual SANs that correspond to 
two paths to the storage in order to provide 
redundancy, each virtual machine should 
be configured with two virtual fibre chan¬ 
nel adapters, one to each Virtual SAN. 

Within the virtual machine the virtu¬ 
al fibre channel adapters will be avail¬ 
able as virtual fibre channel adapters, 
abstracted from the physical adapters. 
This provides maximum mobility for the 
virtual machines between hosts, which 
may have different hardware. However, 
this means adapter-specific management 
applications cannot run within a virtual 
machine. Within the virtual machine, 
Multi-Path Input/Output (MPIO) is lever¬ 
aged to combine the multiple virtual fibre 
channel adapters into a single, resilient 
path to the fibre channel SAN. Windows 
Server 2008, Windows Server 2008 R2, 
and Windows Server 2012 guest oper¬ 
ating systems support the virtual fibre 
channel adapter however the Windows 
Server 2012 integration services must 
be installed on Windows 2008 and Win¬ 
dows 2008 R2 guest operating systems to 
be able to leverage virtual fibre channel. 
Figure 2 summarizes the overall connec¬ 
tivity when leveraging virtual SANs and 
virtual fibre channel adapters. 


Virtual 

FCAS 

Virtual 

Switches 

Storage Array 


SAMs H “ s 

X X 


knurai 



Physical 

SAM 

Virtual 

Machines 

MPIO 

Hyper-V 

Host 



Figure 2 - Virtual SAN and Virtual Fibre Channel Adapter 
Connectivity 

Virtual machines with MPIO-enabled 
virtual fibre channel adapters now have 
direct access to the fibre channel SAN 
storage in the same way a “bare-metal” 
physical host does, which enables many 
new scenarios for workloads that need the 
highest levels of storage performance and 
capacity. Any service architecture that re¬ 
quires high-performance shared storage is 
now possible for virtual environments us¬ 
ing virtual fibre channel. Some key exam¬ 
ples include: 

• MS-SQL Server deployments. Transac¬ 
tional DBs have some of the highest 
storage requirements of any workloads, 
both from a capacity and performance 
perspective. Ideally, these requirements 
are met using fibre channel attached 
SAN storage. Virtual machines config¬ 
ured in a cluster with the same virtual 
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SAN connectivity via virtual fibre chan¬ 
nel adapters can be part of a large-scale 
virtualized SQL Server highly available 
implementation 

• Large MS-Exchange deployments for 
mailbox storage 

• Enterprise SharePoint implementations 

• File services including providing SMB 
3.0 file based access to machines in 
the enterprise using storage on a fibre 
channel SAN. To provide enterprise ap¬ 
plication level SMB 3.0 services the file 
servers in the cluster must use shared 
storage. 

The examples provided just scratch the 
surface of what is possible. The key point 
is that a virtual machine can now match 
the scalability and connectivity of physical 
servers and actually exceed the capabili¬ 
ties of a physical machine by leveraging the 
abstraction and mobility that virtualization 
provides. 

Improved Manageability 

The manageability of any solution is criti¬ 
cal to be successful. Windows Server 2012 
shifts its management model completely in 
two ways: 

1. Servers are now deployed as Server 
Core by default. This is the preferred 
installation type, which means the 


server has no graphical interface and 
minimal local management infra¬ 
structure. This reduces the amount 
of patching and therefore reboots 
required. To enable this new prefer¬ 
ence and to simplify management 
across all environments, virtual or 
physical, the Windows Server man¬ 
agement tools—specifically Server 
Manager—now remotely manage 
multiple servers concurrently, en¬ 
abling “the power of many, the 
simplicity of one,” the key tag for 
Windows Server 2012 manageability 

2. PowerShell is enabled for every 
aspect of Windows Server 2012, 
enabling automation of any Win¬ 
dows Server 2012 process via the 
PowerShell cmdlets, which are often 
enriched further by third-party ad¬ 
ditional modules. 

Windows Server 2012 does not run in 
isolation, however, and the key to a well- 
organized and efficient IT is simplified 
and consolidated management. Earlier 
in the paper, I covered the inbox adapter 
drivers for Brocade switches, which pro¬ 
vide an easy way for organizations to 
leverage Brocade hardware. But as vir¬ 
tualization integrates with storage even 
more closely, it is vital that administra- 
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tors have a unified management tool for 
the end-to-end SAN infrastructure (from 
VM to the storage LUN) as well as insight 
into how the infrastructure is being used 
by the virtualized applications. 

Brocade Network Advisor (BNA) solves 
both these requirements. In addition to 
support for SAN management and Bro¬ 
cade adapters and switches, BNA also 


offers support for other vendor HBAs. 
BNA also provides unprecedented insight 
into the virtual environment. As shown 
in Figure 3 below, by selecting a virtual 
switch port in BNA, details of the virtual 
machine that is using the virtual switch 
are shown, including information such 
as the virtual machine name, its state, 
configuration path and basic hardware 
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Figure 3 - Virtual Machine Details Available Through Brocade Network Advisor 
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details. This insight provides valuable in¬ 
formation and enables an easy path to a 
complete understanding of how storage is 
being utilized from the SAN, through the 
switch infrastructure and down to the in¬ 
dividual virtual machines. 

Brocade also provides integration with 
System Center 2012, Microsoft’s enter¬ 
prise management solution, in the form 
of Management Packs for Operations 
Manager that provide integration with 
BNA and direct access to Brocade switch 
information. 

An unparalleled experience 

In this paper I’ve shown that Windows 
Server 2012 Hyper-V, with consolidated 
storage in a Fibre Channel SAN accessed 
and managed by Brocade solutions, pro¬ 
vides an unparalleled manageability and 
capability experience. Almost any work¬ 
load can be virtualized using the described 
solution, providing a robust infrastructure 
that delivers the required availability, per¬ 
formance and scalability required by to¬ 
day’s highly virtualized data centers. 

For more information about Brocade so¬ 
lutions with Microsoft, please see http:// 
www.brocade.com/partnerships/technol- 
ogy-alliance-partners/partner-details/mi- 

crosoft/index.page 

For more information about Brocade 


Fibre Channel SAN products, please see 
http://www.brocade.com/solutions-tech- 
nology/industry/data-center/storage-net- 

working.page 
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New Release 


Microsoft Releases 

Windows Server 2012 


Improvements in storage, virtualization, and management are worth a look 



W indows Server 2012, arguably the most significant server release Microsoft has 
ever offered, became available for evaluation and purchase to customers around 
the world on September 4, 2012. Server 2012 offers a simplified licensing model 
that includes all features of the OS in all editions of Server. You’ll find improved manage¬ 
ment capabilities in Server Manager and PowerShell. Storage improvements are numer¬ 
ous, and Hyper-V enhancements include scalability, live migration upgrades, and storage 
live migration capabilities. Windows IT Pro brings you ongoing coverage of Server 2012, 
with in-depth treatment of significant features, breaking news, and analysis. Visit our 
Windows Server 2012 page for the latest news and technical features. ■ 

InstantDoc ID 143935 


Top 10 Windows Server 2012 FAQs 


O If I upgrade a Hyper-V host to Windows Server 2012 from Windows Server 2008 R2, will VMs keep running during the upgrade? 

0 Are Windows NT 4 and Windows 2000 guest Q5s supported on Windows Server 2012 Hyper-V? 

© Where are the KMS keys for Windows 8 and Windows Server 2012? 

o What is Offloaded Data Transfer in Windows Server 2012? 

0 After I reinstalled Windows Server 2012, my Storage Spaces are no longer writable or automatically attached—what can I do? 

o Can I upgrade a Windows Server 2008 or Windows Server 2008 R2 Server Core installation to Windows Server 2012 with a GUI directly? 

o What Windows PowerShell cmdlet adds a VHP to a virtual machine in Windows Server 2012? 

0 Why, when I enable .NET Framework 3.5 on Windows 8 and Windows Server 2012, does it connect to the Internet and pull down files? 

Q What is the Windows Server 2012 NUMA Spanning option, and should it be enabled or disabled? 

© Does 5MB Transparent Failover in Windows Server 2012 require ReFS? 
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Windows Server 2012 Articles 


► Introducing Windows Server 2012 

► New Features in Windows Server 2012 Server Manager 

► Windows Server 2012 Essentials: Access the Server Remotely 

► Windows Server 2012 Sprints Through the Finish Line 

► Getting Around in Windows Server 2012, Part 2: Server Manager 

► Windows Server 2012 Essentials: Domain vs. Workgroup 

► Get Ready for Windows Server 2012 Hyper-V 

► Cloning Virtual Domain Controllers in Windows Server 2012 

► Windows Server 2012: Foundation vs. Essentials 

► Video: Getting Around in Windows Server 2012 Server Manager 

► Windows Server 2012 Essentials: Connect Client PCs without Using a Domain 

► Windows Server 2012 and SQLServer 2012: Better Together 

► New Ways to Enable High Availability for File Shares 

► Microsoft Releases Windows Server 2012 to Manufacturing 

► Top 10 Windows Server 2012 Storage Enhancements 

► Is Microsoft Trying to Kill Windows Server? 

► Getting Around in Windows Server 2012, Part 1 

► Shared-Nothing VM Live Migration with Windows Server 2012 Hyper-V 

► Windows Server 2012 Simplifies Active Directory Upgrades and Deployments 

► Windows Server 2012 Storage Spaces 

► Video: Windows Server 2012 Storage Spaces Demo 

► How Windows Server 2012 Improves Active Directory Disaster Recovery 
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Customizing OWA in 
Exchange Server 2010 

Use simple techniques to create 
a unique experience for users 

O utlook Web App (OWA) in Exchange Server 2010 is the new 
name for Outlook Web Access, which has been around for 15 
years, ever since Exchange Server 5.0. Since the release of the 
first version of Exchange Server with OWA, companies and adminis¬ 
trators have maintained a desire to make OWA unique, even beyond 
the supported options. Company customization of OWA ranges 
from superficial color changes, to full branding, to radical interface 
changes. The ease of actually accomplishing OWA customization var¬ 
ies greatly, depending on the version of Exchange Server, the avail¬ 
able customization tools, and administrators’ skill sets. 

OWA has come a long way from the basic Active Server Pages 
(ASP) application of Exchange 5.0 and 5.5. Microsoft Exchange Web 
Services, added in Exchange Server 2007, makes Exchange data 
accessible from a variety of sources following the Web services API. 
Exchange Server 2010 with Exchange Web Services has made it eas¬ 
ier to develop custom web applications to access Exchange Server 
data. Exchange 2007 included four user-initiated themes in OWA. In 
Exchange Server 2010 RTM, OWA customization options weren’t yet 
supported; the old Exchange 2007 theme content was still part of the 
installation, though not a functional one. It wasn’t until Exchange 
Server 2010 Service Pack 1 (SP1) that Microsoft brought back support 
for OWA customization. (Exchange Server 2010 SP2, which is the cur¬ 
rent service pack as of this writing, doesn’t add to the OWA custom- 
izations that we’ll look at in this article.) 
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Customizing OWA 


In this article. I’ll discuss OWA segmentation, which is used to limit 
the components that users can access through the OWA interface, and 
customization of the OWA logon and logoff screens. 

Microsoft Policy on Customizing OWA 

For many of the OWA changes that we’ll look at, you must replace 
existing files with your customized hies. For themes, simple Cas¬ 
cading Style Sheets (CSS) changes, and logon- and logoff-screen 
changes, you’re manipulating content at the hie level. When Micro¬ 
soft releases updates to Exchange Server—whether bug hxes, rollup 
packages, or service packs—the company offers no guarantee that 
your changes won’t be overwritten. Nor does it guarantee that code 
changes in updates won’t affect your customization efforts. There¬ 
fore, you should maintain a backup of any customization efforts and 
test Microsoft updates to ensure that your OWA customization still 
works after they’re applied. Microsoft outlines its support policy 
for OWA customization, for all versions dating back to Exchange 
5.5, in the article “ Microsoft support policy for the customization 
of Outlook Web Access for Exchange .” In addition, I recommend 
that you develop and test your customizations, whether comprehen¬ 
sive OWA custom applications or file-level image updates to reflect a 
branded logon screen, in a lab deployment before putting your work 
into production. 

Segmentation 

Segmentation is a fully supported method of customization for OWA. 
With segmentation, an administrator simply controls which compo¬ 
nents of OWA are visible to the end user. Many enterprises want their 
users to have access to the full range of functionality through the 
OWA client. However, some users might require only a limited set of 
features to complete their daily duties. For example, I recently worked 
at a manufacturing plant in which the plant workers needed access to 
email and contacts, but calendar, tasks, and public folder access was 
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Figure 1 

EMC Segmentation Tab 
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superfluous. Focused OWA access also helps to restrict users from 
exposing or being exposed to content that might otherwise be consid¬ 
ered off limits or confidential. Limiting access to components deemed 
unnecessary by use or policy is good security practice as well, reduc¬ 
ing the risk surface area. Segmentation can also reduce bandwidth 
use during OWA sessions. 

OWA is available by default on any Exchange 2010 server with the Cli¬ 
ent Access server role installed. No additional configuration is needed 
to enable segmentation. As of Exchange 2007, segmentation has been 
readily managed through the Exchange Management Console (EMC). 
Segmentation is configured through the Client Access server in EMC. 

In EMC, navigate to the Cli¬ 
ent Access server that hosts 
OWA, then right-click the 
OWA site and select Proper¬ 
ties. The Segmentation tab, 
which Figure 1 shows, lists 
the user-level OWA compo¬ 
nents that can be toggled on 
and off for users of the Client 
Access server. (Table 1 lists 
all the available features.) 
Select and enable or disable 
individual features, one at 
a time. 

Exchange Server 2010 
introduces OWA mailbox 
policies. These policies allow administrators to apply segmentation 
selections to individual users or groups of users, rather than to every¬ 
one who connects to OWA on a specific Client Access server. Even 
though the feature includes “mailbox” in its name, these policies 
are technically not applied to mailboxes but rather to the web appli¬ 
cation that’s used to access mailbox data. When the Client Access 
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Table 1: Segmentable OWA Features 

OWA Feature 

Description 

Exchange ActiveSync 
Integration 

Allows or prevents user management of ActiveSync-enabled mobile phones that 
can access the user's Exchange mailbox, including remote device wipe 

All Address Lists 

Allows or prevents user viewing of all address lists except the Global Address List 
(GAL), which is managed separately 

Calendar 

Allows or prevents user access to the Calendar folder 

Contacts 

Allows or prevents user access to and management of contacts 

Journal 

Allows or prevents user viewing of the Journal folder 

Junk E-mail Filtering 

Allows or prevents mailbox-level message hygiene control 

Reminders and 

Notifications 

Allows or prevents user receipt of new email notifications and calendar and task 
reminders 

Notes 

Allows or prevents user access to the Notes folder 

Premium Client 

Allows or prevents user access to the OWA Premium client 

Search Folders 

Allows or prevents user viewing of Search folders in OWA (if such folders have 
been created in Outlook client) 

E-mail Signature 

Allows or prevents user ability to add and edit email signatures in OWA 

Spelling Checker 

Allows or prevents user access to spell check functionality in OWA 

Tasks 

Allows or prevents user access to Tasks folder 

Theme Selection 

Allows or prevents user control of theme presentation in OWA 

Unified Messaging 
Integration 

Allows or prevents user access to voicemail and fax through OWA (if such 
functionality is available) 

Change Password 

Allows or prevents user changing of mailbox password 

Rules 

Allows or prevents user addition, deletion, and editing of mailbox rules 

Public Folders 

Allows or prevents user access to public folders to which they have permissions 

S/MIME 

Allows or prevents user sending of signed and encrypted messages 

Recover Deleted Items 

Allows or prevents user access to Recover Deleted Items feature through OWA 

Instant Messaging 

Allows or prevents user access to Instant Messaging (if such functionality is available) 

Text Messaging 

Allows or prevents user access to text messaging (if such functionality is available) 
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Figure 2 

OWA Mailbox Policies 


server role is installed, a default OWA mailbox policy is put in place. 
By default, all the listed, segmentable features are enabled in the 
default policy. 

OWA mailbox policies are created in the EMC at the organization 
level, as reflected in Figure 2. Select Client Access under the Orga¬ 
nization Configuration hub in the EMC; the OWA mailbox policies 
are listed in the middle pane. To add a new policy, right-click the 
open area in the middle pane and select New in the context menu, 
or select the same option directly in the EMC Actions pane. As Fig¬ 
ure 2 also shows, the primary function of the OWA mailbox policy 
is to configure a specific segmentation setup for a user or group, 
because there’s nothing else to configure in the UI. Consider giving 
the policy a descriptive name, such as the region or department to 
which it will apply, or including the specific segmentation goal in the 



98 Windows IT Pro / December 2012 


WWW.WINDOWSITPRO.COM 
























Customizing OWA 



name, such as “No Journal.” Figure 3 shows the Outlook Web App Figure3 

Properties box, which allows you to apply an existing OWA mailbox Outlook Web 

policy to a mailbox or mailboxes. OWA mailbox policies can be ere- App Pr °P erties 
ated or amended by using the Exchange Management Shell (EMS) or 
the New-OWAMailboxPolicy and Set-OWAMailboxPolicy cmdlets. 

When you use these cmdlets to create a new OWA mailbox policy 
or edit an existing policy, you can toggle a list of attributes on or off. 

These attributes apply directly to the features that are listed in Table 1. 

The features are enabled by default, so in general, when configuring an 
OWA mailbox policy in EMS, you would call the attributes you want to 
toggle and set them to false to disable them. See the Microsoft articles 
“ Set-OwaMailboxPolicy ” and “ New-OWAMailboxPolicy ” or the cmdlet 
Help for the list of applicable attributes for each cmdlet. 

Segmentation can also be configured by using the EMS at the 
server or user level. Use the Set-CASMailbox cmdlet to apply segmen¬ 
tation as defined in a specific OWA mailbox policy. For example, the 
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Customization of 
OWA ranges from 
superficial color 
changes, to full 
branding, to radical 
interface changes. 


following code applies the OWA mailbox policy called North America 
Staff to the mailbox-enabled user Steve: 

Set-CASMai1 box -Identity Steve -OwaMailboxPolicy: 

"North America Staff" 

If the OWA mailbox policy has spaces in its name, then quotation 
marks are required in EMS. To apply an OWA mailbox policy called 
Executives to all users belonging to the Active Directory (AD) organi¬ 
zational unit (OU) of the same name, use this code: 


Get-CASMai1 box -OrganizationalUnit Executives | 

Set-CASMai1 box -OWAMai1boxPolicy:Executives 

You can also use EMS to retrieve the list of mailbox-enabled users to 
which you want to apply an OWA mailbox policy, based on common 
existing attributes (e.g.. Title, Location). To do so, use Get-User and 
pipe output to the Set-CASMailbox command. You can also pull from a 
text file through EMS, by using the Get-Content command as follows: 

Get-Content "c:\files\OWAPolicyList.txt" | Set-CasMai1 box 
-OwaMailboxPolicy "North America Staff" 

OWAPolicyList.txt is a plaintext file that lists the email address for the 
mailboxes, using one address per line, as follows: 

steve@mojavemedia.com 
gianni @ mo j avemedia. com 
greg@moj avemedia. com 
marco@mojavemedia.com 

Of course, if you’re administering Microsoft Office 365 for your com¬ 
pany, you’ll need to employ EMS to configure segmentation. The 
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Exchange Control Panel (ECP) for Office 365 doesn’t provide access 
to OWA policy administration. 

Exchange 2010 SP2 brings back a previously deprecated version 
of web mail: OWA Mini, formerly known as Outlook Mobile Access 
(OMA) and last seen in Exchange Server 2003. This renewed OWA 
Mini functions as a set of forms within OWA. As part of OWA, OWA 
Mini (for mobile browsers) and OWA Basic (for untested browsers) 
also adhere to segmentation flags. Users who’ve been prevented 
access to basic folders, such as Calendar, can’t access those folders 
through OWA Mini (shown in Figure 4) or OWA Basic. 



Figure 4 

OWA Mini 


Segmentation restricts and simplifies the OWA web interface for 
users. By default, OWA shows the primary Mail, Calendar, Contacts, 
and Tasks folders in the bottom left of the browser window. As a sim¬ 
ple example, I take user Steve Bauer, who initially has no OWA mail¬ 
box policy applied and therefore has all available features enabled, 
and apply an OWA mailbox policy that disables calendar, task, and 
theme selection. Figures 5 and 6 show the differences in the interface 
before and after the application of this policy. 

Segmentation can also be applied at the server level, using the 
Set-VirtualDirectory cmdlet. Like the Set-OWAMailboxPolicy cmdlet. 
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Figure 5 

OWA Web Interface 
Before Policy 
Application 


Figure 6 

OWA Web Interface 
After Policy Application 
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individual features can be toggled on or off. In this case, everyone 
who connects to a specific server and virtual directory, such as “owa 
(Default Web Site),” will see the same OWA features. If you’re using 
some form of load balancing for OWA access across multiple Client 
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Access servers, you need to ensure that segmentation configuration 
changes are applied to all the Client Access servers in your pool. Users 
might otherwise see different OWA configurations, depending on 
which Client Access server they connect to through load balancing. 

Finally, note that when you create a new OWA mailbox policy or 
make segmentation changes at the server level, and you want to 
immediately apply the policy or changes to users, you might need to 
restart the OWA site. Restarting Microsoft IIS also forces OWA to pick 
up these changes immediately. This is best done at the command line 
on the server, using the following command: 

iisreset -noforce 

Logon- and Logoff-Screen Customization 

When users access the URL for OWA, the first screen is the logon 
screen (unless there’s a certificate error, of course). In some compa¬ 
nies, management might want to customize the logon or logoff screen 
to assert a brand or to assure users that they’re in the correct place. A 
logon screen adorned with a familiar corporate logo and color scheme 
can give users confidence that they’re on the correct site. Manage¬ 
ment might also customize the logon screen to incorporate specific 
information or legal disclaimers. Logon and logoff screens can be 
customized without affecting the core OWA. 

The OWA logon and logoff screens are standalone web forms that 
use several .gif graphic files and CSS for fonts and formatting. For users 
who log on to OWA for the first time, there’s an additional configuration 
screen, which is also affected by customization efforts because it shares 
the same image and CSS files as the logon screen. The initial logon 
screen is composed of nine .gif files, organized and placed according to 
logon.css. Other aspects of the logon screen are also rendered accord¬ 
ing to information in that CSS file, including font type and colors used 
outside of the .gif image files. These same files are incorporated into 
the first-time logon configuration screen and the logoff screen. If you’re 
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Figure 7 

Default Logon Screen 


Figure 8 

Default First Time 
Logon Screen 


Figure 9 

Default Logoff Screen 
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going to change these files, you 
need to update them only once; 
the updates will be reflected 
in all three pages. The default, 
installed versions of the logon, 
first-time logon configuration, 
and logoff screens are shown in 
Figures 7, 8, and 9. 

The files used for the logon 
and logoff screens are on the 
Exchange server with the Client 
Access server role, at \Program 
Files\Micro soft\Exchange 
Server\V14\ClientAccess\ 
Owa\ < version > \Themes\ 
Resources. The < version > 
variable refers to the level of 
Exchange Server. Exchange 
2010 SP2 shows a folder 
labeled 14.2.247.5. Exchange 
2010 SP2 Rollup 1 adds a folder 
14.2.283.3. OWA uses the most 
recent source. 

As I mentioned earlier, you 
should work through your cus- 
tomizations in a lab environ¬ 
ment if possible. Otherwise, 
consider taking a backup of 
the original files before you 
start making changes to OWA 
files. Thankfully, Microsoft has 
labeled the .gif files descrip¬ 
tively. Figure 10 shows the 
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distribution of the 
.gif files in the logon 
screen; Table 2 lists 
the image filenames 
and their sizes (in 
pixels). 

The simplest way 
to customize the 
logon screen is two¬ 
fold: Replace the .gif 
files with ones more 
befitting of your cor¬ 
porate designs and 
amend logon, css and 
owafont.css to com¬ 
plement those files. 

You certainly aren’t 
limited to this super¬ 
ficial alteration, but it 
has the most impact 
with the least effort. 

The .gif file with the 
text “Outlook Web 
App,” as seen in Fig¬ 
ures 7, 8, and 9, is 
called lgntopl.gif (a 
filename standing for 
logon, top, left) and 

is the easiest file to work with when you just want to add your logo, 
without changing the default OWA color scheme. For this article, I took 
this .gif file and added a fictitious logo for Las Vegas Webmail, integrat¬ 
ing the famous Las Vegas sign from the Las Vegas Strip in Nevada, as 
Figure 11 shows. I kept the .gif file at the set size of 456 x 115 pixels, so 


Table 2: OWA 2010 Logon and Logoff 
ScreenGraphic Files and Sizes 

Logon/Logoff Graphic File Name 

File Size (in Pixels) 

lgntopl.gif 

456 x ns 

lgntopm.gif 

1 x ns 

lgntopr.gif 

45 x H5 

lgnbotl.gif 

456 x 54 

lgnbotm.gif 

1 x 54 

lgnbotr.gif 

45 x 54 

lgnleft.gif 

15 x 200 

lgnright.gif 

15 x 200 

lgnexlogo.gif 

22 x 22 


Figure 10 

Distribution of GIF Files 
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Figure 11 

Customized OWA 
Logon Screen 


a straight file replace¬ 
ment on the Client 
Access server will 
return the new logo 
to users who log on 
to OWA on that Client 
Access server. If you 
use a different file 
size and don’t make 
changes to the CSS 
file, then the format¬ 
ting of the graphics 
will be incoherent. 
(The location on the 
page of each graphic 
is coded into the CSS file, based on pixel location, so if you change the 
sizes of the .gif files, you need to accommodate that change within the 
CSS file itself.) Clearly, if you want to make complete custom logon 
screens beyond manipulating the appearance of the existing graphics, 
you’ll need some knowledge of CSS. 

The text style in the logon screen is also governed by instructions 
in logon.css. CSS files are simply text files and can be edited by using 
a text editor or one of the many CSS editors. But these days, all web 
development applications also handle CSS. Microsoft Expression Web 
is a great tool for working with CSS files; Microsoft Visual Studio can 
also serve as an advanced CSS editor, although using it just for that 
purpose is a bit of overkill. Colors in CSS are defined by hexadecimal 
color codes: the hash sign (#) followed by a 6-character code. Most 
CSS editors have color palettes with hex numbers incorporated. Quick 
resources are available online as well (e.g., VisiBone). Your market¬ 
ing, graphics, or web-development people likely maintain exact print 
and web color codes that represent the color scheme for your corpo¬ 
rate presence and logos. 



Las Vegas Web mai l 
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Table 3: Default Exchange 2010 OWA Logon Form Color Codes 

Color Placing 

Color Hex Code 

Color Description 

Background 

H rrrrrr 

fftttttt 

White 

Show explanation text 

#ff 6 c 00 

Orange 

Main text 

#444444 

Dark gray 

Input field border 

#a4a4a4 

Medium gray 

Input field background 

#fff3c0 

Light orange 


Table 3 lists some of 
the colors that are identi¬ 
fied in the logon.css file 
for the logon screen. For 
this example, I changed 
the font color within 
logon.css from orange to 
purple and changed the 
input field background for 
the username and pass¬ 
word from light orange 

to light gray. I also made the border around the input fields stand 
out with a more solid blue rather than a thin gray, by changing 
the color code and incrementing the pixel thickness of the border. 
To accomplish these changes, I changed fff3c0 to cccccc, ff6c00 
to 800080, and a4a4a4 to 000080 within logon.css. (Some intel¬ 
ligent guesswork was needed to determine exactly which ele¬ 
ments in the CSS file to apply within the page.) After ensuring 
that I had a backup of logon.css, I saved the new file to \Program 
Files\Microsoft\ExchangeServer\V14\ClientAccess\Owa\14.2.283.3\ 
Themes\Resources on the Client Access server. I also copied my new 
lgntopl.gif to the same folder. Figure 12 shows the simple editing that 
I made to customize the OWA logon screen. Of course, you aren’t lim¬ 
ited to such simple customizations. With solid knowledge of CSS and 
graphics work, you can develop your own custom logon and logoff 
screens that will appear unrecognizable compared with the defaults 
that OWA renders. 

You might need users to delete their local browser cache for the 
customizations to be immediately apparent. (In my on-premises 
lab installation, I found it unnecessary to restart the website for the 
changes to be served to clients.) If you use certain proxy applica¬ 
tions or perimeter hardware, there might also be a delay before users 
receive updated content. 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / December 2012 107 





















Feature 


A 


^ C\ U Uri 'iWiII> 1 nrtDOAfla'.WifTPrtf-LLrflS t* »Un«ExpriiW:* Wtfc I 


file tdit View Lnserl Fcrmil Trota T-nWe Srte EJela View Pan* Window Help 


iE) £2 




v a * \ □ ot- 


POB i Z 1 il . 

| .4 % % y* ( e ) <> * 


TaqJV&pert^s CEEF¥-&pe?_ 

■WiB 

f i^Trtir Eu*r 0 


—|i 

—£ i 
tail- - 


Mote Cobra.. 


. Iredi - 1 background-coloc : If f f Ci-ClfrEifc-il rani cent- r t ] lag (jbDcdsi : Cipx; 

1 .•ncmJdalE Tpiddluij: 3px; xj rgi n : Jp-i; jEAlzL&fcblHilafE&iglD-L&p.; 4£;pai.; padding: 
Upxr | tHfcle.ciiixiiiJi: T-Stpxpf oidei-collapae i cal lspne: padding: tgix; onion# 
J4^4*4; ]cibH r i^>1^0nfi{ai»«lon?Uri3cd,-F?ICsnja^!iTad^; %Zpxt\ 

~d i liT-nrj| p boding-lop : Ilpi;iidlnllfi ^ackgrjunli uclt'lgEjieiL.gifl i^peni- 

y?vld^ti: Up*; ELcWnaPLf&ieVarsiindi nri:"lgn?i#t,-ffkr"? fifnic - : Up*;| 
’idlcdKiljFAddir.g i Cpa 4 &px]i bicigroLuij JJEiEif? vertlcaJ.-mlign i ccjij j id 
,fXt$4d[pi<Hlfl3i 3j!4£ *£» 3fX OpXt Hwdy.Ktl C=Ml4KLdSt4XI- 
±1 1 ”:i i ri3h.ii diiecLioji : n 1 r ] acleim, coble-I IcnLoi : 414 4.444 r ] 'elect r j lxe ■! color i I 
B0DCil9j;c4C]ta±fiufl4-»leitiref3e0iba£deiri lpx islid jjfrttglBi Sp* 6p»; 

} ..txt [paddjjig: Spxj lueigSm 2.Zac; f infm-c., btofcoluc t #■ i £ £ f £ f ; £ a c jcg i o und. - e o 1 or j 
iefcfcl2.rlM.rdtc; Cpxr padding: ip* anrgin; Op a Spur "exL- 

■llg^LceniceE:] LtatnESnFca^enlnri (■'££'£££: bncbgrauiid-cal i: i |Eb9olZ; toxdcri Dp® ! I 
F a ddi ng : £px Spar ia.igin; Opx 4px; tExb-aligaitoEaeecr] 
eoIctl #££££■££ jtoietogi'aiind cclon ^'9bl32;bQidEr: Dps; padding: Zpx £px; 
xargir.i Opx 1 >pxf tEifi- ai ign : ceate-c r J . colcc r IdOOOOO rhaojogicuod- 

EOlnp: 4 f4blZ3;bprdjts: : C^a hIW ffSbiaZ: padding: Zpx €£x; njrgizu flpa. fipsxr 
teni-align: center: I . norerap Ihtiit E-ap-aceinEwrajj r JhxLbei.gbt:; Dpi; Tioabalxtr : 

H t dd&r.;} „ 1 1 c tat-Hlgi* ; It Cl; } - ?t. 1, .ij^ BL-aUga; j i ghp ; } r p [me - 
si igri r nghtj ! . rcl . r ttexc-^*^^^eff^a^rnlDr r |££ScflOj text- 
4es©r4Uon ; none; \ , w ng | « 4 : jj! *h#c[g&1 cw : tHWJtf ] , fM.pi ^ color s ( 

3 93 99*31 .-h-l £'O r . ixt -[wi Izii i i dpx Dpi: J . r±o | ceigm 1 Dpa l^px( 

QpK ■■}!%* ? ] b:.::jy . - ' 'i . SdS [Htfflfl: S?£* Cf X, lip* J | Ct, (fljl Oil, PC P M»I 


B '^ariKPTtel Lre 

M.. 3- ■ • m 


\ Actor; 


Figure 12 

Editing to Customize 
OWA Logon Screen 


Applying Customizations 

OWA changes aren’t replicated between Client Access servers. If mul¬ 
tiple Exchange servers with the Client Access server role installed serve 
OWA, you’ll need to apply any customizations to each of the servers 
if you want all users to see the same screens. Users will get the OWA 
screens that are specific to the Client Access server they access (although 
you might want different groups of users to have different OWA experi¬ 
ences) . If you don’t want to work at the file level in Exchange Server 
to make changes to the logon or logoff screens, some third-party com¬ 
panies offer this service for various customizable software solutions, 
including OWA 2010. Many make comprehensive changes to the OWA 
logon screens, to the point that the application is unrecognizable. If 
you use such a provider, you’ll need to address any issues that arise 
when new service packs or updates make changes to OWA. ■ 
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Top 10 Active Directory 
Solved with PowerShell 

Using cmdlets is easier than you think 

M anaging Active Directory (AD) with Windows PowerShell 
is easier than you think—and I want to prove it to you. 
Many IT pros think that they must become scripting experts 
whenever anyone mentions PowerShell. That couldn’t be further 
from the truth. PowerShell is a management engine that you can 
work with in an interactive management console. It just so happens 
that you can take those interactive commands and throw them into a 
script to save typing, but you don’t need to script to use PowerShell. 
You can handle the most common AD management tasks without 
writing a single script. 

Requirements 

To use PowerShell to manage AD, you need to meet a few require¬ 
ments. I’m going to demonstrate how to use the AD cmdlets from 
a Windows 7 desktop. (You can also use the free AD cmdlets from 
Quest Software , in which case the syntax will vary slightly.) 

To use the Microsoft cmdlets, you must have a Windows Server 2008 
R2 domain controller (DC), or you can download and install the Active 
Directory Management Gateway Service on legacy DCs. Be sure to read 
the installation notes carefully; installation requires a DC reboot. 

On the client side, download and install Remote Server Admin¬ 
istration Tools (RSAT) for either Windows 7 or Windows 8 . In 
Windows 7, you’ll need to open Programs in Control Panel and 
select Turn Windows Features On or Off. Scroll down to Remote 
Server Administration Tools and expand Role Administration Tools. 
Select the appropriate check boxes under AD DS and AD LDS Tools, 


Tasks 
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Figure 1 

Turning on AD DS and 
AD LDS Tools 


especially the check box for the Active Directory Module for Win¬ 
dows PowerShell, as shown in Figure 1. (In Windows 8, all tools are 
selected by default.) Now we’re ready to roll. 

For the sake of simplicity. I’ve logged on with an account that has 
domain admin rights. Many of the cmdlets that I’ll show allow you 

to specify alternative credentials. 
In any case, I recommend reading 
full cmdlet Help and examples for 
everything I’m going to show you. 

Open a PowerShell session and 
import the module: 

PS C:\> Import-Module 
ActiveDirectory 


The import also creates a new 
PSDrive, but we won’t be using it. However, you might want to see 
which commands are in the module: 

PS C:\> get-command -module ActiveDirectory 

If you can use a command for one AD object, you can use it for 10 or 
100 or 1,000. Let’s put some of these cmdlets to work. 

Task 1: Reset a User Password 

Let’s start with a typical IT pro task: resetting a user’s password. 
We can easily accomplish this by using the Set-ADAccountPassword 
cmdlet. The tricky part is that the new password must be specified as 
a secure string: a piece of text that’s encrypted and stored in memory 
for the duration of your PowerShell session. So first, we’ll create a 
variable with the new password: 

PS C:\> $new=Read-Host "Enter the new password" -AsSecureString 



110 Windows IT Pro / December 2012 


WWW.WINDOWSITPRO.COM 



















Top 10 Active Directory Tasks 


Next, we’ll enter the new password: 


PS C:\> 

Now we can retrieve the account (using the samAccountname is best) 
and provide the new password. Here’s the change for user Jack Frost: 

PS C:\> Set-ADAccountPassword jfrost -NewPassword $new 

Unfortunately, there’s a bug with this cmdlet: -Passthru, -Whatif, and 
-Confirm don’t work. If you prefer a one-line approach, try this: 

PS C:\> Set-ADAccountPassword jfrost -NewPassword 
(ConvertTo-SecureString -AsPlainText -String 
"P@ssw0rdlz3" -force) 

Finally, I need Jack to change his password at his next logon, so I’ll 
modify the account by using Set-ADUser: 

PS C:\> Set-ADUser jfrost -ChangePasswordAtLogon $True 

The command doesn’t write to the pipeline or console unless you 
use -True. But I can verify success by retrieving the username via 
the Get-ADUser cmdlet and specifying the PasswordExpired property, 
shown in Figure 2. 

The upshot is that it takes very little effort to reset a user’s pass¬ 
word by using PowerShell. I’ll admit that the task is also easily accom¬ 
plished by using the Microsoft Management Console (MMC) Active 
Directory Users and Computers snap-in. But using PowerShell is a 
good alternative if you need to delegate the task, don’t want to deploy 
the Active Directory Users and Computers snap-in, or are resetting 
the password as part of a larger, automated IT process. 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / December 2012 ill 



Feature 


112 


v 


Figure 2 

Q Windows PowerShell 

( = 11 a II « | 

Results of the 

PS C:\> get-aduser 

jfrost -prop PasswordExpired 

□ 

Get-ADUser 

DistinguishedName 

CN=Jack Frost,ou=staff,ou=Testing,DC=GL0B0MANTICS,DC=1ocal 


Cmdlet with the 

Enabled 

GivenName 

True 

Jack 


Password Expired 

Name 

objectclass 

Jack Frost 
user 


Property 

objectGUlD 

556afc39-9ece-47a3-ada5-b6f02961fl96 


PasswordExpired 

True 



SamAccountName 

jfrost 



SID 

S-l-5-21-2552845031-2197025230-307725880-1601 



Surname 

Frost 



UserPrincipal Name 

jfrost@GLOBOMANTICS.1ocal 



PS C:\> 




Task 2: Disable and Enable a User Account 

Next, let’s disable an account. We’ll continue to pick on Jack Frost. 
This code takes advantage of the -Whatif parameter, which you can 
find on many cmdlets that change things, to verify my command 
without running it: 


PS C:\> Disable-ADAccount jfrost -whatif 

What if: Performing operation "Set" on Target "CN=Dack Frost, 
0U=staff,0U=Testing,DC=GLOBOMANTICS,DC=1ocal". 

Now to do the deed for real: 


PS C:\> Disable-ADAccount jfrost 

When the time comes to enable the account, can you guess the 
cmdlet name? 


PS C:\> Enable-ADAccount jfrost 

These cmdlets can be used in a pipelined expression to enable or 
disable as many accounts as you need. For example, this code dis¬ 
ables all user accounts in the Sales department: 
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PS C:\> get-aduser -filter "department -eq 'sales'" 
disable-adaccount 

Writing the filter for Get-ADUser can be a little tricky, but that’s where 
using -Whatif with the Disable-ADAccount cmdlet comes in handy. 

Task 3: Unlock a User Account 

Now, Jack has locked himself out after trying to use his new pass¬ 
word. Rather than dig through the GUI to find his account, I can 
unlock it by using this simple command: 

PS C:\> Unlock-ADAccount jfrost 

This cmdlet also supports the -Whatif and -Confirm parameters. 

Task 4: Delete a User Account 

Deleting 1 or 100 user accounts is easy with the Remove-ADUser cmd¬ 
let. I don’t want to delete Jack Frost, but if I did, I could use this code: 

PS C:\> Remove-ADUser jfrost -whatif 

What if: Performing operation "Remove" on Target 

"CN=Jack Frost,0U=staff,0U=Testing,DC=GL0B0MANTICS,DC=1ocal". 

Or I could pipe in a bunch of users and delete them with one command: 

PS C:\> get-aduser -filter "enabled -eq 'false'" 

-property WhenChanged -SearchBase "0U=Employees, 
DC=Globomantics,DC=Local" | where {$_.WhenChanged 
-le (Get-Date).AddDays(-180)} | Remove-ADuser -whatif 

This one-line command would find and delete all disabled accounts 
in the Employees organizational unit (OU) that haven’t been changed 
in at least 180 days. 
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Figure 3 

Finding Filtered 
Universal Groups 


Task 5: Find Empty Groups 

Group management seems like an endless and thankless task. There 
are a variety of ways to find empty groups. Some expressions might 
work better than others, depending on your organization. This code 
will find all groups in the domain, including built-in groups: 

PS C:\> get-adgroup -filter * | where {-Not 
($_ | get-adgroupmember)} | Select Name 

If you have groups with hundreds of members, then using this 
command might be time-consuming; Get-ADGroupMember checks 
every group. If you can limit or fine-tune your search, so much the 
better. 

Here’s another approach: 

PS C:\> get-adgroup -filter "members -notlike 
-AND GroupScope -eq 'Universal'" -SearchBase 
"0U=Groups,0U=Employees,DC=G1 obomanti cs, 

DC=local" | Select Name,Group* 

This command finds all universal groups that don’t have any mem¬ 
bers in my Groups OU and that display a few properties. You can see 
the result in Figure 3. 
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Task 6: Add Members to a Group 

Let’s add Jack Frost to the Chicago IT group: 
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PS C:\> add-adgroupmember "Chicago IT" -Members jfrost 

It’s that simple. You can just as easily add hundreds of users to a 
group, although doing so is a bit more awkward than I would like: 

PS C:\> Add-ADGroupMember "Chicago Employees" -member 
(get-aduser -filter "city -eq 'Chicago'") 

I used a parenthetical pipelined expression to find all users with a 
City property of Chicago. The code in the parentheses is executed 
and the resulting objects are piped to the -Member parameter. Each 
user object is then added to the Chicago Employees group. It doesn’t 
matter whether there are 5 or 500 users; updating group membership 
takes only a few seconds This expression could also be written using 
ForEach-Object, which might be easier to follow. 

PS C:\> Get-ADUser -filter "city -eq 'Chicago'" | foreach 
{Add-ADGroupMember "Chicago Employees" -Member $_} 

Task 7: Enumerate Members of a Group 

You might want to see who belongs to a given group. For example, you 
should periodically find out who belongs to the Domain Admins group: 

PS C:\> Get-ADGroupMember "Domain Admins" 

Figure 4 illustrates the result. 

The cmdlet writes an AD object for each member to the pipeline. 
But what about nested groups? My Chicago All Users group is a col¬ 
lection of nested groups. To get a list of all user accounts, all I need to 
do is use the -Recursive parameter: 
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PS C:\> Get-ADGroupMember 

"Chicago All Users" -Recursive | 
Select DistinguishedName 


Figure 4 

[ £SNmctav&Piwet5h«K 

Finding Members 

IPS C:\> Get-ADGroupMember "Domain Admins" 

of the Domain 
Admins Group 

distinguishedName 
name 

objectclass 

obj.ectG.uiD 

SamAccountName 

SID 

CN^Administrator,CN=Users,DC=GLOBOMANTICS,DC=1ocal 

Administrator 

user 

4a524Sle-fc7f-43S2-b76d-S2ebflS5a932 

Administrator 

S-l-5-21-2552S45031-2197025230-307725SS0-50G 


distinguishedName 
name 

objectclass 

objectGUID 

SamAccountName 

SID 

CN-Jeff Hicks,0U=Emp1oyees,DC=GLOBOMANTICS,DC=1ocal 

Jeff Hicks 

user 

99cl4S43-37f4-4576-b344-S20394dea5ef 

jeff 

S-l-5-21-2 5 52845031-219702 5230-30772 5SS0-1129 


distinguishedName 
name 

objectclass 

objectGUID 

CN=Ida Noh,OU=Employees,DC=GLOBOMANTICS,DC=1ocal 

Ida Noh 
user 

S9473371-e724-4c4c-80ec-2aSdc37a72cS 


If you want to go the other way—that is, if you want to find which 
groups a user belongs to—you can look at the user’s MemberOf 
property: 


PS C:\> get-aduser jfrost 
-property Memberof | 

Select -ExpandProperty memberOf 
CN=NewTest,0U=Groups,OU=Employees, 

DC=GLOBOMANTICS,DC=1 ocal 
CN=Chi cago Test,0U=Groups,0U=Employees, 

DC=GLOBOMANTICS,DC=1 ocal 
CN=Chicago IT,0U=Groups,0U=Employees, 

DC=GLOBOMANTICS,DC=1 ocal 
CN=Chicago Sales Users,OU=Groups,OU=Employees, 

DC=GLOBOMANTICS,DC=1 ocal 

I used the -ExpandProperty parameter to output the names of 
MemberOf as strings. 
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Task 8: Find Obsolete Computer Accounts 

I’m often asked how to find obsolete computer accounts. My response 
is always, “What defines obsolete?” Different organizations most 
likely have a different definition for when a computer account (or 
user account, for that matter) is considered obsolete or no longer in 
use. Personally, I’ve always found it easiest to find computer accounts 
that haven’t changed their password in a given number of days. I 
tend to use 90 days as a cutoff, assuming that if a computer hasn’t 
changed its password with the domain in that period, it’s offline and 
most likely obsolete. The cmdlet to use is Get-ADComputer: 

PS C:\> get-adcomputer -filter 
"Passwordlastset -It '1/1/2012'" 

-properties *| Select name,passwordlastset 

The filter works best with a hard-coded value, but this code will 
retrieve all computer accounts that haven’t changed their password 
since January 1, 2012. You can see the results in Figure 5. 


| Q Windows PowerShell 


EEHjsJ | 

PS C:\> get-adcomputer -filter 

"Passwordlastset -It 'l/l/2012 ,,, 

-property *| Sel 

- 

ect name,passwordlastset 



□ 

name 

passwordlastset 



CHI-SRV01 

7/18/2011 4:18:53 PM 



TestDeskOl 

8/9/2011 2:06:41 PM 



TestDEsk02 

8/9/2011 2:06:50 PM 



testdesk03 

8/9/2011 2:06:57 PM 



TestDeskOOl 




TestDesk002 




testdesk003 




PS C:\> 





Figure 5 

Finding Obsolete 
Computer Accounts 


Another option, assuming that you’re at least at the Windows 2003 
domain functional level, is to filter by using the LastLogontimeStamp 
property. This value is the number of 100 nanosecond intervals since 
January 1,1601, and is stored in GMT, so working with this value gets 
a little tricky: 
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PS C:\> get-adcomputer -filter "LastlogonTimestamp -gt 0" 
-properties * | select name,lastlogontimestamp,@{Name= 
"LastLogon";Expression={[datetime]::FromFi1eTime($_.Last 
logontimestamp)}},passwordlastset | Sort LastLogonTimeStamp 


I added a custom property that takes the LastLogonTimeStamp value 
and converts it into a friendly date. Figure 6 depicts the result. 


Figure 6 

Converting the 
LastLogonTimeStamp 
Value to a 
Friendly Date 


Q Windows PowerShell 


PS C:\> get-adcomputer -filter "LastlogonTimestamp -gt 0" -property * | select n| 
ame,lastlogontimestamp,@{Name="LastLogon";Expression={[datetime]::FromFi1eTime($| 
_. Lastlogontimestamp)}}.passwordlastset | Sort LastLogonTimeStamp 


name 

CHI-SRV01 

CHI-DC01 

CHI-WIN7-22 

CHI-FP01 

CHI-EX01 

CHI-DB01 

CHI-DC02 


PS C:\> 


lastlogontimestamp LastLogon 


129554939339383047 

129790551955163810 

129790552282507560 

129790678572000963 

129792373368936230 

129792373455377578 

129799197338710124 


7/18/2011 4:18:5. 
4/16/2012 9:06:3. 
4/16/2012 9:07:0. 
4/16/2012 12:37:. 
4/18/2012 11:42:. 
4/18/2012 11:42:. 
4/26/2012 9:15:3. 


passwordlastset 

7/18/2011 4:18:5. 
4/23/2012 9:38:1. 
4/23/2012 9:52:1. 
4/16/2012 12:52:. 
3/27/2012 1:08:2. 
3/27/2012 1:08:3. 
4/23/2012 9:54:0. 


To create a filter, I need to convert a date, such as January 1, 2012, 
into the correct format, by converting it to a FileTime: 


PS C:\> $cutoff=(Get-Date "1/1/2012").ToFileTime() 

PS C:\> Scutoff 

129698676000000000 


Now I can use this variable in a filter for Get-ADComputer: 

PS C:\> Get-ADComputer -Filter "(lastlogontimestamp -It 
Scutoff) -or (lastlogontimestamp -notlike '*')" -property 
* | Select Name,LastlogonTimestamp,PasswordLastSet 

This query finds the same computer accounts as in Figure 5. Because 
there’s a random offset with this property, it doesn’t matter which 
approach you take—as long as you aren’t looking for real-time tracking. 
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Task 9: Disable a Computer Account 

Perhaps when you find those inactive or obsolete accounts, you’d 
like to disable them. Easy enough. We’ll use the same cmdlet that 
we use with user accounts. You can specify it by using the account’s 
sam Accountname: 

PS C:\> Disable-ADAccount -Identity "chi-srv01$" -whatif 
What if: Performing operation "Set" on Target "CN=CHI-SRV01, 
CN=Computers,DC=GLOBOMANTICS,DC=1ocal". 

Or you can use a pipelined expression: 

PS C:\> get-adcomputer "chi-srv01" | Disable-ADAccount 

I can also take my code to find obsolete accounts and disable all those 
accounts: 

PS C:\> get-adcomputer -filter "Passwordlastset 
-It '1/1/2012'" -properties *| Disable-ADAccount 

Task 10: Find Computers by Type 

The last task that I’m often asked about is finding computer accounts 
by type, such as servers or laptops. This requires a little creative think¬ 
ing on your part. There’s nothing in AD that distinguishes a server 
from a client, other than the OS. If you have a laptop or desktop run¬ 
ning Windows Server 2008, you’ll need to get extra creative. 

You need to filter computer accounts based on the OS. It might be 
helpful to get a list of those OSs first: 

PS C:\> Get-ADComputer -Filter * -Properties OperatingSystem | 
Select OperatingSystem -unique | Sort OperatingSystem 

Figure 7 shows what I have to work with. 
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Figure 7 

Retrieving a List of OSs 


0 Windows PowerShell | o || B || S3 | 


PS C:\> Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingS 
ystem -unique | Sort OperatingSystem 

OperatingSystem 


Windows 7 Ultimate 
Windows Server 2008 R2 Datacenter 
windows Server 2008 R2 Enterprise 
Windows Server 2008 R2 Standard 


PS C:\> 


I want to find all the computers that have a server OS: 


PS C:\> Get-ADComputer -Filter "OperatingSystem -like 
'"'Server*'" -properties OperatingSystem,OperatingSystem 
ServicePack | Select Name,Op* | format-list 


I’ve formatted the results as a list, as you can see in Figure 8. 



As with the other AD Get cmdlets, you can fine-tune your search 
parameters and limit your query to a specific OU. All the expressions 
that I’ve shown you can be integrated into larger PowerShell expres¬ 
sions. For example, you can sort, group, filter, export to a comma- 
separated value (CSV), or build and email an HTML report, all from 
PowerShell and all without writing a single PowerShell script! In fact, 
here’s a bonus: a user password-age report, saved as an HTML file: 
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PS C:\> Get-ADUser -Filter "Enabled -eq 'True' -AND 
PasswordNeverExpires -eq 'False'" -Properties 
PasswordLastSet,PasswordNeverExpires,PasswordExpired | 

Select Di stinguishedName,Name,pass*,@{Name="PasswordAge"; 
Expression={(Get-Date)-$_.PasswordLastSet}} |sort 
PasswordAge -Descending | ConvertTo-Html -Title 
"Password Age Report" | Out-File c:\Work\pwage.htm 

This command looks intimidating, but it’s simple to follow if you have 
a little PowerShell experience. The only extra step I took was to define a 
custom property called PasswordAge. The value is a timespan between 
today and the PasswordLastSet property. I then sorted the results on 
my new property. Figure 9 shows the output from my test domain. 







r^l~B~|fa~l 

) ( | ® C:\wo rk\pwage.htm 

P w & X 11 Password Age Report 



DistinguishedXame 

Name 

PasswordExpired 

PasswordLastSet 

PasswordXeverExpires 

PasswordAge 

CN=John Doe ! OU=staff,OU=Testing,DC=GLOBOMANTICS ; DC=local 

John Doe 

True 

8/9/2011 2:01:45 PM 

False 

261.00:58:41.5958690 

CN=Chris Graham,OU=Employees,DC=GLOBOMANTICS,DC=local 

Chris Graham True 

8/19/2011 9:36:50 AM 

False 

251.05:23:36.5626543 

CN=Art Deco,OU=EmployeesJ)C=GLOBOMANTICS,DC=local 

Art Deco 

True 

8/19/2011 11:52:47 AM False 

251.03:07:39.2886945 

CN=A1 Fredo : OU=Employees = DC=GLOBOMANTICS ; DC=local 

AlFredo 

True 

9/29/2011 2:16:15 PM 

False 

210.00:44:11.0947136 

CN=IdaNoh,OU=Employees,DC=GLOBOMANTICS ! DC=local 

Ida Noh 

True 

9/29/2011 2:21:09 PM 

False 

210.00:39:17.8462235 

CN=Mark Twain ! OU=IT ! OU=Employees ! DC=GLOBOMANTICS,DC=local Mark Twain 

True 

1/21/2012 1:25:21 PM 

False 

96.01:35:05.0245669 

CN=Skip Towne ! OU=Canberra ! DC=GLOBOMANTICS ! DC=local 

Skip Totvne 

False 

3/22/2012 8:10:49 PM 

False 

34.18:49:37.7911456 

CN=Terrj-Kloth ; OU=Canberra I DC=GLOBOMANTICS,DC=local 

Terry Kloth 

False 

3/22/2012 8:10:49 PM 

False 

34.18:49:37.6993487 

CN=Bill Freely : OU=Canberra,DC=GLOBOMANTICS ; DC=local 

Bill Freely 

False 

3/22/2012 8:10:49 PM 

False 

34.18:49:37.6075518 

CN=JohnPlumber,OU=Canberra,DC=GLOBOMANTTCS,DC=local 

John Plumber False 

3/22/2012 8:10:49 PM 

False 

34.18:49:37.5147784 

CN=Chip Shotz,OU=CanberraLDC=GLOBOMANTICS,DC=local 
CN=Jack Frost, OU=stafrOU=Testing,DC=GLOBOMANTICS,DC=local 

Chip Shotz 
Jack Frost 

False 

3/22/2012 8:10:49 PM 

False 

False 

34.18:49:37.4649737 


Figure 9 

Output of User 
Password-Age Report 


Ready, Set, Go! 

PowerShell isn’t complicated—but as with any new tool, test every¬ 
thing in a non-production environment. To learn more about manag¬ 
ing AD with PowerShell or how to use Quest cmdlets to accomplish 
the tasks I discussed in this article, read Managing Active Directory 
with Windows PowerShell: TFM 2nd Ed. (SAPIEN Press, 2010). As I 
tell my students, “It isn’t a matter of if you’ll use PowerShell, only a 
matter of when. ” You can manage AD without using PowerShell, but 
using it will give you maximum efficiency with minimal effort. ■ 
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Working in SSMS, how many times per day do we switch connections, search for objects in 
Object Explorer, look for object definitions, write “SELECT * FROM” or copy data from results 
grid to Excel? 

SSMSBoost add-in makes your work in SSMS more productive by automating daily routines. 
Install it and follow these 


Ten Time-Saving Tips when Working with SQL Server Management Studio 


1. Script object directly from SQL Editor located under cursor 
(like “go to definition” in Visual Studio). 

2. Synchronize Object Explorer tree to object located under cursor 
in SQL Editor. 

3. Add frequently-used databases to preferred connections list and 
forget about managing connection history in native connection 
dialog. Switch between databases located on different servers 
using dedicated preferred connections drop-down on the toolbar. 

4. Use ' Find in Grid ” feature to search for data in Results Grid. 

5. Do not type "SELECT * FROM 11 anymore, type "sel", hit space and 
you get the statement completed via autoreplacement. Define 
your own auto-replacements. 

6 . Visualize contents of Results Grid fields using free-definable 
external programs like Word, Excel, PDF or any other viewer. Yes - 
you can view documents saved in binary fields directly from 
SSMS! 

7. Export contents of Results Grid as Excel document, XML or 
HTML table. Re-use flexible template-based scripting functionality 
and add your own export templates. 

8 . Use power of status bar 6 connection coloring ” feature of SSMS 
improved by SSMSBoost. Assign warning colors to single 
important databases or even whole servers. 

9. Manage Sessions. Save and Restore all opened documents and 
their connections. 

10. Create simple macros and assign shortcuts reusing any 
commands registered in SSMS. 
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The project started in March 2012 and managed to get enough happy users to 
win SQL Server Pro Community Choice Bronze in “Best Database Development 
Product” category. So give it a try. 

And the best: the SSMSBoost add-in is currently free. 


Check our website for even more features and information: 

www.ssmsboost.com 
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Server App-V and 
Service Templates 

System Center 2012 Virtual Machine 
Manager offers new capabilities 
for a new computing age 

I say this in many articles, talks, and books: We really are in a third 
age, as far as thinking about our IT infrastructures is concerned. 
Originally, administrators focused on each physical server on which 
an OS was installed. You walked around the data center and pointed 
to each server: “That’s my domain controller; that’s my Microsoft SQL 
Server machine,” and so on. Management was performed on a per-box 
basis because each box ran a single OS with a single application. With 
virtualization, OSs were consolidated onto fewer physical boxes host¬ 
ing multiple virtual machines (VMs), and we entered the virtualization 
age. We focused on each OS instance: “That system is running a bunch 
of VMs; that one’s running a bunch of VMs, too.” Unsurprisingly, tours 
of data centers weren’t as popular as they had been. The management 
effort was similar, provisioning became a bit easier, but there were 
extra hypervisor pieces to manage. Each OS was still managed indi¬ 
vidually. As an administrator, you connected via RDP to a server—if 
you were very advanced, you connected remotely, via System Center 
Service Manager—but still managed and focused on one OS at a time. 

The Third Age 

With the private cloud, we enter the third age of management. The 
focus shifts to the service that’s being provided. The management 
infrastructure should manage and provision the OS as a collective. 
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behind the scenes, allowing the focus to be on the service rather than 
on the underlying OS. To enable this shift to application-centric think¬ 
ing, two things are needed: 

• A way to easily deploy server-application instances with only a 
few target-specific configuration items, and the ability to move 
those application instances between OS instances without rein¬ 
stalling or losing configuration 

• A modeling capability to enable the design of services that might 
have multiple tiers of components (e.g., a database back end, a 
middleware layer, a web front end) and multiple, definable role 
instances for each tier so that the service can scale up or down, 
depending on load 

Not surprisingly, Microsoft System Center 2012 Virtual Machine Man¬ 
ager addresses both these needs. 

Application Virtualization 

Readers who are familiar with desktop technologies probably know 
that Microsoft acquired a company called Softricity several years ago, 
renaming Softricity’s Softgrid application-virtualization solution as 
Microsoft Application Virtualization. App-V allows an application to 
run locally on an OS, without being installed on the OS, through the 
use of a virtual environment. This environment has virtual layers, such 
as file system and registry, in which application artifacts (e.g., files, set¬ 
tings) reside. This application virtualization allows applications to be 
delivered very quickly. No application installation takes place. Because 
applications each run in their own virtual environment, a major appli¬ 
cation problem is solved—namely, application-to-application compati¬ 
bility challenges, such as when application A can’t exist on the same OS 
instance as application B. Because the applications are virtualized and 
run in their own sandboxed environments, they don’t see one another. 

The goals for server virtualization are different than those of desk¬ 
top virtualization. Server application isolation is rarely required or 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / December 2012 125 



Feature 


A 


even desirable. Likewise, real-time streaming of server applications 
is an uncommon requirement. What’s wanted is the ability to sim¬ 
plify the deployment of server applications, which can have primarily 
manual, 100-page installation processes. Also desirable is the ability 
to enable server-application mobility between OS instances, so that 
OSs can be serviced without lengthy application downtime, by mov¬ 
ing an application instance from one OS instance to another. 

Now, the App-V technology has been enhanced to support server 
requirements, via Microsoft Server Application Virtualization (Server 
App-V), a specific version of App-V that’s part of Virtual Machine 
Manager 2012. The major differences from the desktop App-V fea¬ 
tures are as follows: 

• Support for system services 

• COM, COM +, and DCOM components, captured and visible 
through tools such as Dcomcnfg 

• Virtualization of Windows Management Instrumentation (WMI) 
providers and classes that applications install 

• Local user and group creation 

• Virtualization of Microsoft Internet Information Services (IIS) 6.0 
and earlier websites 

• SQL Server Reporting Services (SSRS) virtualization support 

• Virtualization of application configuration and data, enabling the 
entire application installation and state to be easily backed up and 
restored 

This technology means that a server application is installed once in 
the Server App-V sequencer environment, which creates the Server 
App-V packaged version of the application. There, the entire instal¬ 
lation process is performed, and any machine-specific configurations 
(e.g., service credentials, hostnames, port numbers) are extracted. 
This packaged Server App-V application can then be quickly deployed 
in a consistent way, simply by passing these instance-specific set¬ 
tings to all the required environments (e.g., development, testing. 
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production). This approach solves many problems that are common 
when deploying complex applications between environments. In 
addition, the deployed Server App-V application instance and all its 
data can easily be backed up and deployed to another OS instance, 
maintaining all application states. Not only is the server application 
virtualized, but any related configurations and data are connected to 
the packaged application and can easily be backed up and restored 
through Server App-V Windows PowerShell cmdlets, providing easy 
portability between OS instances. 

During the creation of a Server App-V sequenced server applica¬ 
tion, the sequencer process automatically identifies many instance- 
specific parameters, such as the hostname and credentials. However, 
you can also modify the packaged application after sequencing. The 
person who performs the sequencing can specify additional prop¬ 
erties from the registry, services, and XML configuration files to be 
considered instance-specific; these properties will then prompt for a 
value during the deployment of the virtualized server application. In 
future versions of Server App-V, I expect to see even more flexibility 
for extracting instance-specific values from regular text files instead 
of from XML files only. 

Service Templates 

Server App-V is designed to be combined with service templates, another 
new Virtual Machine Manager 2012 feature. Although you can use 
PowerShell cmdlets to deploy and use Server App-V packaged applica¬ 
tions, Server App-V is designed to be used as part of a service template, 
which can take advantage of its easy deployment and mobility. 

Few applications today are islands. Applications connect to services 
on other OSs, use databases, and so on. Service templates allow you 
to model a full service in the new Virtual Machine Manager Service 
Template Designer tool. With this tool, you can create application 
tiers on a canvas. You can then define the attributes of each required 
tier, along with VM templates and the applications that need to run 
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Figure 1 

Three-tiered service 


on those VMs to allow the tier to function. You then make connec¬ 
tions between the tiers and to other resources, such as networks and 
storage. For each tier of a service, you can configure the initial, mini¬ 
mum, and maximum number of instances of each VM that makes up 
the tier. Doing so enables scalability because VM instances can be 
added and removed as required. 

The various logical networks and storage tiers can be defined or 
left as options, to be configured as instances of the full service are 
deployed. Figure 1 shows a basic three-tiered service that also uses a 
hardware load balancer to provide balancing for the web tier, which 
uses a Server App-V version of Apache. This shows another powerful 
capability of service templates and the overall new ability of Virtual 
Machine Manager 2012 to manage more than just the compute fab¬ 
ric. If the network and storage fabric have been configured in Virtual 
Machine Manager (e.g., via a hardware load balancer), then those 
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resources can automatically be used as part of a service template. 

When an instance of this service template is deployed. Virtual Machine 
Manager automatically creates all the required VMs, based on the ini¬ 
tial count of VM instances for each tier. Virtual Machine Manager then 
automatically connects to the hardware load balancer, creates a new 
pool that contains the IP addresses of the VMs that make up the web 
tier, and creates a new service on the load balancer, matching the con¬ 
figuration that’s defined in the selected virtual IP template. You can 
go from zero to running a full multi-tiered service in about 5 minutes. 

Diving into a little more detail on the options available for each 
tier, the configurations will seem very familiar if you’ve used Virtual 
Machine Manager VM templates. Essentially, each tier just uses a 
template, which can have additional configurations that can be made 
as part of a normal template definition. Essentially, the service tem¬ 
plate just gives you the opportunity to make further customizations 
to existing VM templates, if necessary. Initially, when you drag a VM 
template onto a tier definition on the service template canvas, the 
configurations match the source template exactly. However, you can 
open the tier properties and make changes. Such changes can include 
modifications to the virtual hardware specification, but they will most 
likely relate to the application configuration or SQL Server configu¬ 
ration, as shown in Figure 2. It’s through these configurations that 
applications can be added to a tier: The configurations give the tier its 
functionality and bring value to the overall service. Applications can 
be Server App-V virtualized applications, a SQL Server or web appli¬ 
cation, or any application that can be deployed via a script—which 
for enterprise applications should cover just about anything. 

Service templates offer another great capability. Typically, after 
a VM is deployed from a template, it loses its connection to that 
template. If the template is updated, there’s no way to refresh the 
deployed VM with the new details. But services that are deployed 
from a service template maintain their link to the template. You can 
update a service template, perhaps with a new OS Virtual Hard Disk 
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Application 

Configuration 



(VHD). Or you can change the VM specifications and then point to 
a deployed instance of the service and tell it to update. If the actual 
OS VHD has been updated, the running Server App-V applications 
are backed up with all data and state, the new OS VHD is deployed 
and configured with the same settings as the VM that it’s replacing, 
and the Server App-V applications are put back. The OS image is 
refreshed but none of the application configuration or information is 
lost. This is just one use case of updating deployed services by updat¬ 
ing the template. The example shows the power of focusing on the 
service rather than on the underlying OS instances. See my video for 
a quick overview of service templates. 

Update domains are also supported with Virtual Machine Manager 
templates. Suppose that I select an instance of a deployed service 
template and request an update to a newer version of the template. 
The deployed service would be unavailable because the existing VMs 
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Video 


John Savill provides 
an overview of System 
Center Virtual Machine 
Manager 2012's Service 
Templates feature 


that make up the deployed service instance are deleted and re-created 
per the new service template definition. With update domains, the 
deployed service can be divided into multiple domains, which are 
basically groups of servers within the deployed service. When an 
update is performed, one update domain at a time is updated, leaving 
the servers in the other update domains available to carry on offering 
services and eliminating service downtime. This is key for keeping 
services available and is similar to a model offered by many public 
cloud services, including Windows Azure. 

During the initial service template creation, each tier is configured 
with a default minimum and initial instance count of 1 and a maxi¬ 
mum instance count of 5. However, these values can be changed as 
part of the tier configuration. Although the default initial and mini¬ 
mum instance count is 1, this value shouldn’t be used in a production 
environment. A single instance of a tier means that the tier will be 
unavailable if a VM fails, likely rendering the entire service unavail¬ 
able. In addition, at least two instances of a tier are required to ser¬ 
vice the tier without downtime, allowing one instance to be updated. 
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Server App-V really 
shines when it's 
combined with 
service templates, 
another new 
Virtual Machine 
Manager feature. 


restarted, and even re-created while the other instance continues to 
service user requests. I recommend using 2 as the minimum value; 
to maintain availability during maintenance, use a value of at least 
3. These values specify only the scalability options for a tier; there’s 
no automatic scaling of a service by Virtual Machine Manager, based 
on the load that a tier is experiencing. If a tier is becoming very busy, 
then additional instances should be added, but this doesn’t happen 
automatically. Both the Virtual Machine Manager management con¬ 
sole and the web-based System Center App Controller allow additional 
instances of a tier to be added or removed, but this is a manual action. 
The good news is that this scaling of tiers can also be accomplished 
through PowerShell and other interfaces. It’s a fairly simple task to 
create your own processes to monitor the utilization of tier instances 
and to perform automatic scaling, if required—including System Cen¬ 
ter 2012 Operations Manager and System Center 2012 Orchestrator. 


The Big Jump from Virtual Machines to Services 

Few organizations take full advantage of the Server App-V and ser¬ 
vice templates technologies. This isn’t surprising, given how new 
they are; it will take time for organizations to understand and adopt 
Server App-V and even longer to start thinking about deploying ser¬ 
vices by using service templates instead of individual VMs. But the 
change will happen. 

Deploying multi-tiered services isn’t always appropriate. There will 
always be one-off applications that might not be good candidates as 
offered services for an organization. But taking advantage of Server 
App-V and service modeling will still simplify the deployment and 
management of even single VM services. Over time, these technolo¬ 
gies can be a huge benefit to organizations. And as the private cloud 
is truly embraced and the focus shifts to the application. Virtual 
Machine Manager is likely to become the center point of your IT 
infrastructure. ■ 
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Claims-Aware Options 
for SharePoint Security 

Expand SharePoint's ability to authenticate 


A uthorizing access to content that’s held in Microsoft Share- 
Point is covered in “ SharePoint Security 101: What You Need 
to Know to Secure SharePoint ,” the first article in this multi¬ 
part series covering certain security aspects. To enforce access rights, 
SharePoint must be able to identify the user who is attempting to 
access content. Similarly, user identity is crucial in providing services 
such as the User Profile service: The user’s identity controls what he 
or she can do with personal home pages and social features. 

Authentication is part of the overall process of establishing a user’s 
identity. Ultimately, requesting users presents some form of token to 
SharePoint to prove who they are. SharePoint then uses this token 
to associate the user to an internal object (called SPUser), which is 
subsequently used to authorize access to content. 

In earlier versions of SharePoint, this token could be a standard Win¬ 
dows security token, representing an Active Directory (AD) user object 
or security group, or a token generated by an ASP.NET membership 
and role provider. Although it still supports classic Windows identi¬ 
ties, SharePoint 2010 also supports a claims-based approach to identity, 
which results in several added capabilities. For example, SharePoint can 
participate in authentication infrastructures that aren’t based on Win¬ 
dows, benefiting from ease of identity delegation to back-end applica¬ 
tions and a simple and consistent environment for solution developers. 

In this article, I look at SharePoint as a claims-aware application 
and discuss the options that you now have for authenticating users 
and providing claims about their identity. You can then use these 
claims in your back-end applications. 
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Authentication is 
part of the overall 
process of 
establishing a 
user's identity. 


Claims-Based Identity 

In the claims world, a user’s identity consists of any number of attri¬ 
butes that describe things about the user: email address, full name, 
groups to which the user belongs, country of residence, and even more 
personal attributes such as passport or driver’s license number. Issuing 
authorities, such as Active Directory Federation Services (ADFS), that 
you explicitly trust issue claims about these attributes and their values. 

Claims-aware applications therefore have an explicit trust relation¬ 
ship with an issuer. These applications believe claims about users only 
if the application trusts the entity that issued the claim. And if the 
application trusts the entity, then the application need not care how 
that entity authenticates the user or from where the entity gathers the 
attributes and their values. Therefore, the application doesn’t need any 
authentication logic within its code. This abstraction of authentication 
allows the application to work in almost any identity infrastructure, 
merely processing the claims that are presented to it to establish a 
user’s identity. The trusted authorities that perform authentication are 
commonly referred to as identity providers or authentication providers. 

The notion of explicit trust is important. Without it, claims-based 
identity systems would be impossible. Your application must decide 
the authorities from which claims will be trusted. Consider the age 
attribute. You might trust people to provide their own age if its use 
within your application is merely for informational purposes; for 
example, it doesn’t really matter whether I enter my real age on my 
Facebook page. But if the purpose is to verify whether someone is 
legally allowed to buy alcohol, then you want the answer to come 
from a more authoritative power—some authority that can verify the 
answer, such as a birth-registration authority. 

SharePoint 2010 is a claims-aware application, meaning that it doesn’t 
really care how the user is authenticated. All it cares about is receiv¬ 
ing a Security Assertion Markup Language (SAML) token that provides 
values for attributes that it can use to determine the user’s identity. 
This distinction allows SharePoint to be deployed in environments that 
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might require more Internet-friendly authentication techniques than a 
pure Windows system can provide. It also means that you can make 
changes to the available authentication methods without recoding, 
recompiling, or reconfiguring SharePoint or any integrated solutions. 

One example that’s often used for a high-level description of claims- 
based identity is that of boarding an aircraft: 

1. As you approach the departure gate, you present your boarding 
card—in paper or electronic format—to the agents. 

2. The agents confirm that the boarding pass isn’t a forgery by 
verifying (via a barcode or magnetic strip) that it was issued by 
the airline. 

3. Because the agents trust the airline, they trust the details (i.e., 
the claims) such as seat number, name, and flight number that 
are on the boarding card. 

4. The agents authorize you to board the airplane. 

You have various ways to physically get your boarding card, such 
as via online check-in or at a ticket desk. Regardless of how you get 
the card, you must provide some credentials (e.g., a booking refer¬ 
ence, your passport or driver’s license) to prove your identity before 
the card is issued to you. 

In essence, the boarding card is a set of claims about you that have 
been issued and verified by an authority that the agents at the gate 
trust. The agents at the gate don’t care how you got the boarding 
card or, by implication, how you proved your identity to the issuing 
authority. This is a key benefit of claims-based identity systems: They 
abstract the whole authentication area (including maintenance such 
as password management) from the application. 

In software terms, the set of claims is called a security token. The 
issuer signs each token. A claims-based application considers users to 
be authenticated if they present a valid, signed security token from a 
trusted issuer. No matter which authentication protocol was used, the 
application gets a security token in a simple and consistent format (i.e.. 
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SAML) that it can use to subsequently determine authorization and per¬ 
mission levels for that user. Ultimately, the application can authorize 
access to its resources by using any of the claims that the user presents. 

Claims-Based Authentication 

SharePoint 2010 supports two methods of identifying users. The 
method that’s used is scoped to the web application level. 

The first method is known as classic-mode authentication. This 
method uses Windows identities to identify users and supports only 
one authentication provider: Windows (or AD). The second method 
is known as claims-based authentication. This method uses claims 
to identify users and supports three authentication providers— 
Windows, forms-based authentication, and trusted identity provid¬ 
ers—which can all be used for the same web application. All these 
providers result in the generation of a SAML token and its subsequent 
presentation to SharePoint when accessing resources. 

There are many reasons why you might need or want to use some¬ 
thing other than Windows identities in your SharePoint environments: 

• You might want to offer controlled access to content across the 
Internet to people who don’t have accounts in your AD domain. 

• Perhaps you’ve merged with another organization but don’t yet 
have a trust relationship across the different forests, so Windows 
authentication isn’t possible. 

• You need to integrate with a back-end application that doesn’t 
run on Windows and therefore need a way to delegate a user’s 
identity from SharePoint to the back-end application. 

SharePoint 2010 uses the Microsoft Windows Identity Foundation 
(WIF—formerly code-named the Geneva Framework) to implement 
claims-based identity. WIF is a set of Microsoft .NET Framework 
classes that enable the creation of claims-aware applications. Appli¬ 
cations that are created with WIF can process WS-Federation authen¬ 
tication requests. WS-Federation is an authentication protocol that 
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builds on two other standard protocols: WS-Trust and WS-Security. 
WS-Federation supports the token-based authentication architecture 
that enables a web application to require a security token for authen¬ 
ticated access to resources. 

With claims-based identity, SharePoint isn’t hard-coded to a specific 
set of identity providers such as AD and ASP.NET authentication pro¬ 
viders, which were the only available providers in SharePoint 2007. 
Instead, you can use any identity provider that has been designed 
and implemented in accordance with WS-* security standards. This 
means that you can use identity providers such as Windows Live ID, 
OpenID providers (e.g., Google, Yahoo) and ADFS. 

But SharePoint actually goes a step further. As well as accepting 
WS-Federation authentication requests, SharePoint now also accepts 
Windows and forms-based authentication requests and converts 
them into a claim. Such a claim can then be used inside SharePoint 
to communicate with service applications and to delegate to other 
back-end applications that support claims. Furthermore, SharePoint 
also provides the Claims to Windows Token Service (c2WTS), which 
can convert a claim back into a Kerberos ticket for integration with 
non-claims based applications. 

SharePoint's Security Token Service 

To dispatch unauthenticated requests for SharePoint resources to an 
identity provider, and to convert the returned security tokens into 
claims (i.e., SAML tokens), SharePoint has its own Security Token 
Service. The STS is a Web service that comes into play for any web 
application that has been enabled for claims-based authentication. 
Figure 1 shows the high-level steps that occur when a user attempts 
to access a SharePoint resource: 

1. An unauthenticated HTTP request is made to the URL of the 
SharePoint resource. 

2. SharePoint responds, indicating that the request is unauthor¬ 
ized, and provides the calling application with a URL to go to. 
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Figure 1 

STS in Action 


to perform authentication. This depends on the authentication 
providers that are enabled in SharePoint; for example, it might 
be a redirect to a Windows Live ID logon page. If more than 
one authentication provider is available, then the URL will be to 
a sign-in page that allows the user to select the type of identity 
provider that he or she wants to perform the authentication. 

3. The identity provider authenticates the user against the relevant 
resource, be it AD for Windows, a membership and role pro¬ 
vider for forms-based authentication, or a SAML-based system 
such as ADFS or Windows Live ID. 

4. The identity provider returns a security token that’s specific to 
its authentication method. 

5. This identity provider-specific security token is presented to the 
SharePoint STS. The STS verifies that it trusts the issuer of the 
security token and turns the token into a SAML token, which is 
suitable for use in SharePoint. (If the identity provider issued a 
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SAML token, the STS regenerates that token.) The actual attributes 
in the SAML token depend on the identity provider. At this stage, 
the SAML token can also be augmented with your own claims 
provider before being passed back to the calling user. This aug¬ 
mentation is useful in ensuring that claims for other applications, 
such as a back-end customer relationship management (CRM) 
application, are already included in the user’s list of claims. 

6. The SAML token is returned to the user. 

7. The HTTP request, with the SAML token attached, is made to 
the original URL. SharePoint uses the SAML token to determine 
whether the user is authorized to access the requested resource. 

The SharePoint STS is a Web service called SecurityTokenService 
Application and is installed on your front-end servers, in the Micro¬ 
soft IIS website called SharePoint Web Services. 

Configuring Claims-Based Authentication 

You configure claims-based authentication when you create a web 
application. Note that SharePoint doesn’t allow you to change the 
authentication mode (claims-based or classic) through Central 
Administration after the application’s creation. You can use Win¬ 
dows PowerShell to convert from classic mode to claims-based, but 
not vice-versa; see the TechNet article “ Migrate from classic-mode 
to claims-based authentication (SharePoint Server 2010) ” for details. 
Configuring claims-based authentication is slightly more complex 
than configuring classic mode because you must also think about 
the identity providers that you’re going to use. Configure the follow¬ 
ing core settings of the new web application process, which relate to 
claims-based authentication: 

1. From the Manage Web Applications page in Central Administra¬ 
tion, select the New task on the Ribbon. 

2. From the resulting page, select the Claims Based Authentication 
radio button at the top of the page. 
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3. In Claims Authentication Types, select the identity providers 
that you want to support (e.g., Windows, FBA, or Trusted IP). 

4. If you specify multiple identity providers, the Sign In Page URL 
section offers the option of overriding the default sign-in page. 


Figure 2 


Sign-in Page with 

^ Sign In 

Choice of Windows or 

SdfcLt Ui* arfrdriftuils v- -i want L-.« uctd ut-logon to ft* 5Fi*rtFtodYLhtr. 

Forms Authentication 

■W 


Windows Authwitiratron 


Forms rtUEhentiratian 


Figure 3 

Home Page After 
Authenticating by 
Using the LDAP Forms- 
Based Authentication 
Provider 


Figures 2, 3, and 4 show claims authentication in action. Figure 2 
shows what happens when a user attempts to sign in to a SharePoint 
site that’s set up for claims authentication with both Windows and 
forms-based authentication (LDAP) authentication providers config¬ 
ured. The home page on the SharePoint site has a Web Part that dis¬ 
plays the resulting claims of the requesting user. (This Web Part was 
written by Steve Peschka, as described in the MSDN article “ Claims 
Walkthrough: Writing Claims Providers for SharePoint 2010 .”) 
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The differences between the claims that Figure 3 and Figure 4 show 
can be accounted for by the different IPs used to authenticate the 
user. Although the same data source (i.e., the same user object in AD) 
is used for authentication in both scenarios, Windows authentication 
returns a different set of attributes than LDAP authentication does. 


Figure 4 

Home Page After 
Authenticating by 
Using the Windows 
Provider 


Flexibility and Opportunities 

Claims-based authentication provides more flexible deployment 
options than classic mode, opening up more opportunity for integra¬ 
tion with environments that aren’t Windows based. Remember that 
Windows is a valid claims-authentication provider, so you can use 
the same Windows identities that you use now for logon purposes 
and still benefit from the new possibilities that claims-based authen¬ 
tication enables. To help you to decide whether to implement classic 
or claims-based authentication, I suggest that you read the TechNet 
article “ Plan for claims-based authentication or classic-mode authen¬ 
tication (SharePoint 2010) .” ■ 
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"I've always had a positive feedback on NetWrix products. We worked with the free versions 
for some time and they always provided exactly what we needed." 

Ahmed Maged, Senior System Engineer at Al Foah Co. 



Top 5 Freeware 

IT Infrastructure Auditing Tools 

Updated freeware change auditing tools for critical IT systems 


1. Active Directory Change Reporter - Updated 

The recently updated freeware product excels in auditing AD 
changes and fills major gaps found in native Microsoft tools. This 
newly updated freeware edition has an improved support for Ex¬ 
change 2010 and scalability in larger AD environments. 

Download page : www.url2open.com/hm 
Redmond review : www.url2open.com/hw 

2. File Server Change Reporter - Updated 

The tool detects changes made to files, folders and permissions, 
and tracks newly created and deleted files. The latest product 
update features support for Failover Clusters. 

Download page : www.url2open.com/hn 
Net-Security review : www.url2open.com/hy 

3. Exchange Change Reporter - Updated 

The new freeware release features non-owner mailbox access audit¬ 
ing functionality, improved support for Exchange 2010 and scalabil¬ 
ity in larger AD environments. 

Download page : www.url2open.com/ho 
E-How review : www.url2open.com/hz 

4. VMware Change Reporter 

The tool that tracks and reports configuration changes in VMware 
Virtual Center settings and permissions, such as newly created vir¬ 
tual machines, containers, alerts, ESX servers and more. 

Download page : www.url2open.com/hp 
TechTarget review : www.url2open.com/hA 

5. SQL Server Change Reporter ■ Updated 

Freeware auditing solution that reports changes made to your SQL 
Server's and database content and configuration settings. 

Download page : www.url2open.com/hq 
SQL Server Pro review: www.url2open.com/hC 


Top 5 Freeware 

Identity Management Tools 

Freeware password and user account management tools 
for system administrators 


1. Password Manager 

Features forgotten password reset, account lockout troubleshoot¬ 
ing, manual account unlock through a secure web-based interface 
or a Windows application. 

Download page : www.url2open.com/hr 
Windows IT Pro review : www.url2open.com/hE 

2. Inactive User Tracker 

Tracks inactive user accounts (e.g. terminated employees, graduat¬ 
ed students) so you can easily disable or remove them to eliminate 
potential security holes. 

Download page : www.url2open.com/hs 
Windows IT Pro review : www.url2open.com/hF 

3. Password Expiration Notifier 

This tool automatically reminds users to change their passwords 
before they expire, helping minimize the number of password reset 
calls for busy helpdesk administrators. 

Download page : www.url2open.com/ht 
Sys Admin Tales review : www.url2open.com/hH 

4. Logon Reporter 

Logon Reporter is a purpose-built product that automatically con¬ 
solidates and archives all types of logon events from all Active Di¬ 
rectory domain controllers and provides rich reporting capabilities. 

Download page : www.url2open.com/hu 
4sysops review : www.url2open.com/hI 

5. Privileged Account Manager 

The tool provides a secure web-based portal for accessing and au¬ 
tomatic maintenance of administrative user accounts to enable 
centralized management and auditing of all privileged identities. 

Download page : www.url2open.com/hv 
TechRepublic review : www.url2open.com/hJ 



























New Release 


Microsoft Windows 8 Arrives 

The new client OS represents a radical departure from previous Windows versions 


W indows 8, Microsoft’s latest client OS, features a new UI designed to be tablet 
touch-friendly, and became available to customers via software upgrades or 
with new PC purchases on October 26, 2012. Windows 8 represents a radical 
departure from previous Windows versions and is arguably the most dramatic upgrade 
Microsoft has yet developed. 

The system is essentially a brand-new mobile platform that has been melded onto the 
traditional Windows desktop, giving users what Microsoft calls a “no compromises” experi¬ 
ence that blends the best of mobile with the best of Windows. Windows IT Pro brings you 
ongoing coverage of Windows 8, with in-depth treatment of significant features, breaking 
news, and analysis. Visit our Windows 8 page for the latest news and technical features. ■ 
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Windows 8 In-Depth 


► Video: Windows 8 Keyboard and Mouse Survival Guide 

► Windows 8 Client Virtualization 


► Welcome to Windows 8 
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► Upgrade from Windows 8 Enterprise Eval? Nope 

► Windows 8 Review, Part 1: The Desktop 

► Windows 8 Review, Part 2: You Got Your Metro in My Windows 


► Windows 8 Upgrade Offer for PC Buyers Goes Live 

► Start: The Windows 8 Era Begins 

► Enterprises: Now's the Time to Get Your Windows 8 On! 

► Installing Windows 8 Enterprise Edition Product Key 

► Will IT Departments Rush to (or Away from) Windows 8? 
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Windows 8 Features 


► Windows 8 Feature Focus: Settings Sync 

► Windows 8 Feature Focus: File Explorer 

► Windows 8 Feature Focus: Live Tiles 

► Windows 8 Feature Focus: From Pre-Release to RTM 

► Windows 8 Feature Focus: Charms 

► Windows 8 Feature Focus: Start Screen 

► Windows 8 Feature Focus: Lock Screen 

► Windows 8 Feature Focus: BackTip 

► Windows 8 Feature Focus:Tiles 

► Windows 8 Feature Focus: Contracts 


Windows 8 Tips 


► Windows 8 Tip: Complete Windows 8 with Windows Essentials 2012 

► Windows 8 Tip: Use Trackpad Multi-touch Gestures 

► Windows 8 Tip: Pin Favorite Apps in Start Search 

► Windows 8 Tip: Picking a Backup Strategy 

► Windows 8 Tip: Upgrade from Windows 7 

► Windows 8 Tip: Upgrade from Windows XP 

► Windows 8 Tip: Upgrade from Windows Vista 

► Windows 8 Tip: Upgrade from the Release Preview 

► Windows 8 Tip: Customize the Desktop 

► Windows 8 Tip: Customize Live Tiles 

► Windows 8 Tip: Customize the Start Screen 


www.windowsitpro.com/windows-8 
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Product News 
for IT Pros 



Bit9 Breaks New Ground with Bit9 7.0 

Bit9 introduced three ways to protect large and small organizations 
against advanced threats and malware. Version 7.0 of the Bit9 solution 
delivers trust-based security that goes beyond traditional whitelisting 
and application control. Enhancements in Bit9 7.0 include IT- and 
cloud-driven trust, allowing IT organizations to create policies that 
leverage the trust ratings in Bit9’s cloud-based Global Software Regis¬ 
try (GSR) software reputation database; optimization for virtualized 
environments, eliminating repeated disk scans, multiple initializations 
of cloned virtual machines (VMs), problematic gold image updates, 
and other issues that plague traditional application control products 
in virtualized environments; large-enterprise scalability and integra¬ 
tion; and enhanced server security, delivering better memory protec¬ 
tion, file integrity monitoring, and device control to provide a single 
trust-based security solution across all enterprise systems—servers, 
desktops, and laptops. For more information, visit the Bit9 website. 


0 Acronis 


Acronis Delivers Near-Instant Recovery 
of VMware vSphere VMs 

Acronis, with its introduction of vmFlashBack, announced that it has 
significantly reduced the time required to recover virtual machines 
(VMs) in VMware virtual environments. The new feature—included 
in the latest release of Acronis vmProtect—reduces downtime by 
offering a fast, simple restore option that accelerates recovery times. 
The vmFlashBack technology copies only those data blocks that have 
changed, allowing for recovery times up to 100 times faster than 
previously achievable. Acronis has also added disk-to-disk-to-cloud 
staging in the latest release of vmProtect. Administrators can now 
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better protect data and machines by saving backup files to multiple 
locations—including off-premises private clouds through Acronis 
Online cloud. Combined with the ability to remotely recover files 
from a cloud backup location through a web-based interface, Acronis 
vmProtect can offer the “anywhere-access” benefit of a cloud-based 
backup strategy to enterprises of all sizes. Obtain further information 
at the Acronis website . 

Laplink Software Simplifies Windows 8 Setup 

Laplink Software announced the release of a Windows 8 version of 
PCmover, aimed at PC-to-PC migration and automatic movement of 
files, settings, and programs from an old PC to a new one. PCmover 
supports all Windows 8 upgrade scenarios, whether moving to a new 
PC or upgrading an existing one. Microsoft provides support for only 
a few limited scenarios and doesn’t provide a solution for transfer¬ 
ring applications to a new PC. PCmover offers the added benefit of a 
new remotely assisted, phone-based Free Transfer Assistance feature. 
PCmover Enterprise promises IT departments the ability to manage 
migrations even for unmanaged PCs, with studies demonstrating sav¬ 
ings of more than $300 for each PC upgraded or deployed. Migrations 
using PCmover for remote offices, subsidiaries, and non-standard PC 
rollouts that don’t follow standard IT processes can result in cost 
savings in excess of $1,000 per PC replaced or upgraded. For more 
information, visit the Laplink Software website . 

Viewfinity and Centrify Bring AD and Group Policy 
Control to the Mac 

Viewfinity announced a technology and marketing partnership with 
Centrify to integrate Centrify’s DirectControl for Mac OS X solution, 
which lets administrators use Active Directory (AD) and Group Policy 
to centrally control Apple Mac systems in the workplace, into View- 
finity’s Privilege Management Suite. Mac computers are becoming 
part of the workplace computing environment in many organizations. 


laplink. 
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Although IT desktop support personnel can centrally configure privi¬ 
lege policies for application and desktop tasks for Windows-based 
endpoints, administrators are challenged because Macs are still often 
managed on a standalone basis. With this joint solution, IT pros can 
easily lock down and manage their entire desktop environment. For 
more information, check out the Viewfinity website. 



1 *n - ■ ■ * 


Central Email Signature Management for Office 365 
and Google Apps 

Red Earth Software released Policy Patrol Signatures 2.0, an email sig¬ 
nature management solution for hosted email systems. Policy Patrol 
Signatures now allows companies to centrally control email signatures 
in Google Apps and Office 365 web clients without requiring a client 
plug-in. Although moving a corporate email server to the cloud has 
its advantages, companies also need to give up some control. Policy 
Patrol Signatures brings back email signature control to these compa¬ 
nies. With Policy Patrol Signatures, companies with hosted email sys¬ 
tems can configure consistent, company-wide email signatures from 
a central location without having to configure the email signature on 
each client individually. A 30-day trial version is available at the Red 
Earth Software website. 



PDF Share Forms Brings PDF Integration to SharePoint 

PDF Share Forms released a new version of its tool for PDF form 
collaboration in SharePoint environments. The new version expands 
the product’s versatility and support for Nintex Workflow and pre¬ 
developed third-party PDF/XFA forms. PDF Share Forms Enterprise 
lets you reuse existing forms in your on-premises SharePoint environ¬ 
ment. If you have traditional deployments of SharePoint on premises, 
PDF Share Forms Enterprise provides the most complete toolset and 
an unprecedented level of PDF integration. “By adding Nintex Work- 
flow support, we are extending the workflow usage scenarios,” said 
Eugene Ostapkovich, CTO of PDF Share Forms. “Our customers are 
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now able to integrate PDF form support to existing or new workflows, 
and combine it with Nintex Forms.” The latest version also supports 
the digital signature solution from Arx CoSign. For more information, 
visit the PDF Share Forms website . 

Accellion's Latest Mobile File-Sharing Solution Offers 
Security Controls for Users and IT 

Accellion announced updates to its Accellion Mobile File Sharing 
solution. The updates increase ease of use for users and deliver added 
security controls for IT pros, making it easier to protect corporate 
data and ensure compliance. Although enhancements were made 
throughout the Accellion Mobile File Sharing solution, the most sig¬ 
nificant updates can be experienced in the Accellion Mobile Apps 
and Accellion’s Microsoft Productivity Suite. Updates to the Accellion 
Mobile Apps include application whitelisting, Accellion Secure Work¬ 
spaces, and Apple iOS 6 and iPhone 5 support. Accellion’s enhanced 
file-sharing security controls within the Microsoft Productivity Suite 
include the Accellion Outlook Plugin and the Accellion Lync Plugin. 
In addition, Accellion Mobile File Sharing now includes support for 
Kerberos single sign-on (SSO), as well as SAML and OAuth. For more 
information, see the Accellion website. ■ 
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Cloud Computing Still in 
Its Infancy, Study Says 

We all know how important and ubiquitous email has become, not 
just in our business lives but also in our personal lives. Can you 
remember when you learned about email for the first time and didn’t 
yet know how fundamentally this technology would change the way 
we communicate and do business? Now think for a few minutes 
about cloud computing as being in that same sort of unpredictable 
infancy. 

That’s one of the findings of the Cloud Maturity study released 
last month by the Cloud Security Alliance (CSAj and ISACA . The two 
organizations surveyed more than 250 participants, ranging from end 
users to C-level executives from organizations of all sizes. Using fac¬ 
tors such as market size and diversity, levels of acceptance and inte¬ 
gration, and amount of innovation, the survey determined that cloud 
computing is still in its infancy. 

CSA and ISACA have defined four stages of development for cloud 
technology: 

• Infancy: The potential for growth and innovation hasn’t been real¬ 
ized. 

• Growth: Widespread adoption and innovation is taking place, and 
the technology is well understood. 

• Maturity: The main players are well-established, and the technol¬ 
ogy is “business as usual.” 

• Decline: The market becomes saturated, and there’s little room for 
new entrants or products. 
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According to the study results, respondents rated Software as a Ser¬ 
vice (SaaS) as barely into the Growth phase, but it’s ahead of both 
Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). 
Consequently, cloud computing overall is squarely in its squalling 
infancy. One of the characteristics of this stage is that it’s the era of 
early adopters—and most businesses don’t want to be stuck changing 
the diapers for an untested technology. 

However, the cloud isn’t really untested if you consider that it’s just 
another way of thinking about the Internet, which has been around 
for quite a few years. Nonetheless, for most businesses, this is a new 
way of thinking about getting important IT services, which takes 
some adjustment. Maybe the cloud just has a PR problem . 

Another part of the Cloud Maturity study ranked the factors caus¬ 
ing the lack of confidence in the cloud. High among them are the 
sort of things we’ve come to expect: regulatory and compliance 
fears; data privacy and security concerns ; and contract lock-in and 
exit strategies. The full survey results have a lot more information 
about these factors, but it essentially all comes back to a lack of 
trust in the cloud service providers delivering the same level of 
security or service that companies feel they can provide themselves 
on premises. 

According to the study, “cloud computing can provide significant 
opportunities for enterprises to innovate in ways that could disrupt 
established ways of providing and using information technology. 
However, according to the participants in the CSA/ISACA survey, 
the cloud market has not yet reached a level of maturity that will 
support this scenario.” It seems inevitable that such a maturity 
level will be reached. The study predicts another two to three years 
before cloud computing overall will be firmly in the Growth stage 
of development. You can download the full Cloud Maturity survey 
results from CSA or ISAC A . 

—B. K. Winstead 
InstantDoc ID 144514 
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Better Mailbox Accounting in Exchange 
2013 Can Affect Mailbox Quotas 

One of the more interesting changes that Microsoft made to the Infor¬ 
mation Store in Exchange Server 2013 is the way that mailbox sizes 
are reported. The Exchange 2013 developers improved the accuracy 
of the mailbox accounting system. Apparently, there’s quite a lot of 
overhead within the database that has never been charged against 
user mailbox quotas. I’m assuming that this overhead includes gen¬ 
eral debris, forgotten messages, bits of email addresses, and similar 
crud that accumulates over time. 

There’s no increase in the size of the physical database file on disk. 
All that’s affected is the calculation of how much space a user mail¬ 
box has consumed within the database and therefore how much of 
that user’s quota remains. According to the Exchange 2013 Preview 
release notes , the actual difference is in the order of 30 percent to 
40 percent more, so a mailbox that’s reported to hold 100MB of data in 
Exchange 2010 will be between 130MB and 140MB in Exchange 2013. 
You might never notice the increase if you have a sufficiently large 
quota. For instance, if your quota is 10GB and you’re only using 1GB, 
seeing an increase to 1.3 GB after your mailbox moves to Exchange 
2013 won’t cause any concern. 

A problem might exist for users who have to juggle items within 
their mailboxes because they’re teetering on the edge of their quota. 
A good indication of users who are on the verge of quota exhaustion 
is when they’re forced to delete messages, then empty the Deleted 
Items folder before they can receive messages. These users will defi¬ 
nitely have a problem when their mailboxes are moved, as there’s a 
fair bet that quota exhaustion will be a side effect of the migration. 
The mailbox move might not even complete, as the Mailbox Replica¬ 
tion Service (MRS) won’t extend a mailbox quota if a move exceeds 
the available space. 
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The solution is relatively simple. First, you need to know the quo¬ 
tas currently assigned to users and how much space they’re actually 
using. There are many Windows PowerShell-based scripts you can 
use to obtain this information, including the popular script written by 
Exchange Server MVP Paul Cunningham . Next, you should identify 
users who have or who are approaching quota exhaustion and imme¬ 
diately assign these mailboxes some extra space. Apart from anything 
else, this gesture will be immediately appreciated by the users, and 
that’s always a good thing. Finally, you should consider whether your 
mailbox quotas are appropriate in light of current usage patterns, 
user expectations, and storage capacity, then adjust the quotas and 
warning limits accordingly. 

In an era in which consumer expectations are set by the 25 GB 
mailboxes available in Gmail and Microsoft Office 365, I bet you’ll 
discover a good case for a general increase in mailbox quotas. Users 
will be happy and more productive, and you’ll establish a much bet¬ 
ter base for an eventual migration to Exchange 2013. And by the time 
you get to that point, you’ll have forgotten about the small extra over¬ 
head that the Store imposes on mailboxes. 

—Tony Redmond 
InstantDoc ID 144434 


Predicting the Future of Laptops 

Here are two bold predictions about the future of laptops: 

1. In five years, the majority of new laptops will actually be tab 
lets with attachable keyboards. 

2. In five years, the majority of new laptops will have touch 
screen displays. 

Actually, these predictions aren’t that bold. If you look at Microsoft 
Surface, it seems that this might be what Microsoft is thinking as 
well. Perhaps Surface is a signpost product—a “hey guys, the future 
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is over here” signpost for the laptop vendors that are lacking a sense 
of direction beyond trying to extend battery life a few minutes longer, 
add a couple more dots per inch to the screen, and make the laptop a 
few tenths of a millimeter thinner. 

I’ve been thinking about this a while. I recently got an ASUS Trans¬ 
former Pad Infinity. Functionally, it’s a Google Android ultrabook with 
a detachable touch screen and tablet. All the components are in the 
tablet, and the keyboard functions as an extra battery. I love the form 
factor of this device and its 1920 x 1200 touchscreen. It’s a wonderful 
device that’s let down by its OS. I could use this ultrabook for work if it 
had applications and an OS that allowed me to do that. Unfortunately, 
Android apps are designed with phones rather than laptops in mind, 
and very few of them successfully made the transition. 

I also have an Apple iPad 3. It’s a great device for consuming con¬ 
tent. It’s not so great when it comes to creating it. Onscreen key¬ 
boards are fantastic for Twitter updates and short email messages, 
but not for writing a few thousand words. 

Most of the problems that plague iPad also plague tablets running 
Windows 8.1 have an ASUS Eee Slate EP121 tablet running Windows 8. 
It’s a great tablet, but it doesn’t have its own attachable keyboard. When 
I want to do some serious work, I have to prop up the tablet and use my 
Logitech Bluetooth keyboard—a setup that’s definitely a kludge. The 
keyboard wasn’t designed for that specific tablet, and carrying around a 
separate keyboard with its separate batteries gets annoying. 

Microsoft Surface solves this problem. It comes with a snap-on 
keyboard designed precisely for that tablet. This is a signpost I hope 
other manufacturers will follow, because attachable keyboards that 
snap on to the device are far superior to third-party generic Bluetooth 
keyboards. Surface also has a kickstand to ensure that it props up 
correctly, something that my ASUS Eee Slate EP121 tablet lacks. (I’ve 
resorted to using a photo holder for this purpose.) 

As good as Surface is. I’m more excited by the ASUS Vivo Tab RT. 
As the “First Look at the Asus Vivo Tab RT on Three” video shows. 
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you can dock it with its own real keyboard. Plus, the keyboard dock 
functions as an extra battery, giving you 15 hours rather than 8 hours 
of power. 

I suspect the prediction about the majority of new laptops having 
touchscreen displays will come true. If you’re accustomed to using a 
laptop with a touchscreen, you’ve probably experienced that sinking 
feeling when you go back to using another device that doesn’t have 
it. There are certain actions that feel more natural with a touchscreen 
than a trackpad, such as swiping between applications. 

I’m less certain about whether the other prediction (i.e., the major¬ 
ity of new laptops will be tablets with attachable keyboards) will 
come true. However, we’ve definitely reached the stage where you 
can build a tablet that includes all the components traditionally in a 
laptop without making the tablet excessively large. 

With Surface and other Windows RT tablets, you can accomplish 
the same work you currently do on a laptop. If that’s not a death knell 
for the original laptop form factor, I’m not sure what is. ■ 

—Orin Thomas 
InstantDoc ID 144540 
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In our 2012 Windows IT Pro Community Choice survey, we took the 
opportunity to ask you some lighthearted questions about your job. 
You’ll see some of those findings throughout our awards coverage 
toward the front of this magazine. But we left one particular question 
for the back page. Here’s a collection of your responses to the question, 
“What’s the funniest question you’ve received from an end user?” 



1. Are you open? 

2. How long will this take? 

3. Is the Internet down? 

4. What’s my password? 

5. What’s the administrator password? 

6. What does this thingy do? 

7. Can you make my computer slower? 

8. Do you know where my file went? 

9. How does my email know when to arrive 
in my time zone? 

10. Can I record the meeting and automatically 
turn the audio into a Word document? 

11. Is it possible for my mouse to overheat? 

12. Can I get our office wireless connection at he 

13. Can’t I just use the same password for 
everything? 

14. Can you put Microsoft on my computer? 

15. Did you get my email about email being down? 

16. Does this computer need all those cords plugged into the wall? 

17. Virtual servers are free, right? 

18. Does the computer need to be switched on for the monitor to work? 

19. Won’t Shift + 8 give me a capital 8? 

20. Can you write the information directly on my memory? 

21. Why does the screen go dark?! I’ll lose everything if I don’t keep 
moving my mouse! 

22. Can I change the color of Bluetooth? 

23. Where do I plug in my Wi-Fi? 

24. Can you give me access to everyone’s files? 

25. Does red mean bad? 


Send us your funny screenshots, oddball product news, and hilarious end-user 
stories. If we use your submission, you'll receive a Windows IT Pro Rubik's Cube. 



Submit 
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